


Aerospace Safety 
Advisory Panel 

Annual Report 

March 1994 


Aerospace Safety Advisory Panel 
Code Q-1 

NASA Headquarters 
Washington, DC 20546 


Tel: (202)358-0567 



r\JASA 

National Aeronautics and 
Space Administration 

Washington, D C. 

20546 


Reply to Attn ot Q- J 


March 1994 


Honorable Daniel S. Goldin 
Administrator 
NASA Headquarters 
Washington, D.C. 20546 

Dear Mr. Goldin: 

The Aerospace Safety Advisory Panel (ASAP) is pleased to submit its Annual Report 
covering the period from February 1993 through January 1994. The report contains 
findings, recommendations, and supporting material; however, we ask that you respond 
only to Section II, "Findings and Recommendations." 

Over the past year, we have appreciated the support you have shown for our work 
through your careful consideration of our previous analyses and recommendations and 
the several special assignments you have given us. We have explored topics such as the 
impact of demanding schedules, Structured Surveillance, and cost reductions on launch 
processing; orbital debris; Space Shuttle main engine fabrication and processing; and 
NASA’s response to the National Research Council’s report on Space Shuttle software. 
We also have reviewed a number of NASA’s aeronautics programs. We have kept 
abreast of developments with the Space Station, although our normal safety oversight 
activities were impossible given the Station’s state of flux throughout the year. 

We enter the new year with continued admiration for the successful NASA team but 
with some significant concerns about potential problems. While we realize that NASA 
must respond to imposed budgetary constraints, we are uncomfortable about deferring 
needed safety improvements such as the High Pressure Fuel Turbopump. We also are 
concerned about organizational changes that could impact the safety of NASA’s 
programs. Finally, now that a firm direction for the Space Station has been established, 
we wish to obtain a better understanding of any safety implications inherent in the 
integration of elements of the Russian space program because we understand that it has 
heretofore adopted a somewhat different design approach and safety philosophy from 
those of NASA. 

The ASAP will continue its advisory role to you and the Congress in the upcoming year 
by providing safety oversight to assist in minimizing the risks inherent in aeronautics and 
space operations. 

Ve^yyou^ 

Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 





TABLE OF CONTENTS 


Page 

I. INTRODUCTION 3 

D. FINDINGS AND RECOMMENDATIONS 7 

A. SPACE STATION PROGRAM 7 

B. SPACE SHUTTLE PROGRAM 8 

Launch and Landing 8 

Orbiter 8 

Space Shuttle Main Engines 9 

Solid Rocket Motors 10 

External Tank 11 

Logistics and Support 11 

C. AERONAUTICS 13 

D. OTHER 14 

HI. INFORMATION IN SUPPORT OF FINDINGS AND 

RECOMMENDATIONS 17 

A. SPACE STATION PROGRAM 17 

B. SPACE SHUTTLE PROGRAM 20 

Launch and Landing 20 

Orbiter 23 

Space Shuttle Main Engines 26 

Solid Rocket Motors 28 

External Tank 31 

Logistics and Support 31 

C AERONAUTICS 34 

D. OTHER 37 

IV. APPENDICES 

A. NASA AEROSPACE SAFETY ADVISORY PANEL 

MEMBERSHIP A-l 

B. NASA RESPONSE TO THE MARCH 1993 ANNUAL REPORT . . B-l 

C. AEROSPACE SAFETY ADVISORY PANEL ACTIVITIES C-l 


in 





I. INTRODUCTION 





I 


INTRODUCTION 


The success of the complex Hubble Space 
Telescope repair mission capped a year of 
major transition for NASA. In a period of 
severe budget cutbacks and organizational 
change, the Space Shuttle continued its 
successful operations, although it experienced 
numerous minor problems. The decision 
to enter a partnership with the Russian space 
program for the development of a space 
station will have a profound impact on the 
way the station’s and NASA’s futures evolve. 
Aeronautics research programs also 
continued their significant advances. 

As in previous years, the role of the 
Aerospace Safety Advisory Panel (ASAP) 
was one of oversight and counsel to the 
NASA Administrator and the Congress on 
the safety aspects of the various programs. 
Fulfilling this role over the past year was 
both challenging and frustrating. Changes 
in the Space Shuttle and Space Station 
programs during the year made it difficult 
for the Panel to determine where to devote 
its attention. The Panel decided it was best 
to defer looking at the transitioning 
programs and to focus its primary efforts 
on the continuing launch processing activities 
at the Kennedy Space Center (KSC) and 
several special assignments requested by the 
Administrator. These included a review of 
the Space Shuttle Main Engine (SSME) 
manufacturing processes, an audit of NASA’s 
response to the National Research Council’s 
report on Space Shuttle software, a review 
of the implications of cost reductions on the 
safety of launch processing at KSC, and a 
review of NASA and contractor Total 
Quality Management (TQM) programs. 


Notably absent from the Panel’s efforts 
during the year was a detailed focus on the 
Space Station or the Advanced Solid Rocket 
Motor (ASRM). Both programs were in 
a state of flux throughout the year. As this 
report was being written, however, clear 
directions for the upcoming year appear to 
have emerged. Because the ASRM program 
has been canceled, future Panel efforts will 
be directed towards the Redesigned Solid 
Rocket Motor (RSRM) and possible 
incorporation of safety and performance 
improvements from the ASRM development 
effort. 

The decision to pursue joint space programs 
with the Russians raises several areas of 
possible safety concern. These include the 
integration of hardware and software from 
two operations with somewhat different 
philosophies, outlooks, and constraints, and 
the methods available for generating and 
verifying requirements. Thus, the Panel will 
place particular emphasis on the joint 
programs during the upcoming year. 

NASA continues to demonstrate a strong 
commitment to safety. The processes and 
procedures in place have resulted in highly 
successful Space Shuttle missions. They also 
have been effective in identifying and dealing 
with technical anomalies that have arisen. 
The potential impacts on safety of 
organizational and budgetary changes will 
be significantly more difficult to assess. The 
Panel will have to take these changes into 
account so that it can continue to provide 
safety oversight to the Agency. The ASAP 
is confident that, working cooperatively with 


3 


PNMCANC PAGE BLANK NOT FTLIAAD 



NASA and contractor personnel, it will be 
able to help minimize risk in our nation’s 
aerospace programs. 

Section II presents "Findings and 
Recommendations." Section III provides 
"Information in Support of Findings and 
Recommendations" for readers interested 
in more details. Appendices in Section IV 
contain data about the Panel membership, 


the NASA response to the March 1993 
ASAP report, and a chronology of the 
Panel’s activities during the past year. 

As the year came to a close, Mr. Arthur V. 
Palmer retired from NASA and his position 
as Staff Director of the Panel. He was 
replaced in this position by Mr. Frank L. 
Manning. 




II. FINDINGS AND RECOMMENDATIONS 





II 


FINDINGS AND RECOMMENDATIONS 

A. SPACE STATION PROGRAM 


Finding. Hi Joint U.S. and Russian space 
programs, including the Space Station, are 
now underway. Potential safety concerns 
arising from these collaborative efforts have 
not yet been completely defined or ad- 
dressed. 

Recommendation Ul: Safety requirements 
for the joint programs should be established 
from a thorough understanding of the 
underlying policies of design, test, and review 
in use by each country. Timely total systems 
analyses should be conducted to ensure 
adequate safety of components and inter- 
faces as well as overall system safety. 

Finding #2: Much good work has been done 
to assess the impact of space debris on the 
long-duration mission of the Space Station, 
and significant accomplishments have been 
made in developing shielding to protect the 
Station. However, there is still insufficient 
information on the probability that pene- 
trations will have a catastrophic effect. 

Recommendation #2: To support effective 
risk management, NASA should continue 
its emphasis on space debris problems, 
including a better characterization of the 
risk of catastrophic failures and an assess- 
ment of the capability to add shielding on- 
orbit. 


P!«SO«r>*Nv HLAIW not F*LM*£> 


Finding #3: Consideration is being given 
to maneuvering the Space Station to avoid 
larger debris that are capable of being 
tracked. Such maneuvers raise concerns 
about Station structural dynamics, disruption 
of the microgravity environment, and the 
ability of existing or planned systems to 
provide adequate debris tracking data. 

RecQmmeMation #3: Before adopting any 
maneuvering option, care must be taken to 
ensure that the dynamics of operation, 
including their effects on hardware, e.g., 
solar and radiator panels, and their influence 
on microgravity experiment operations, are 
considered. Realistic evaluation must also 
be made of the ability of ground-based and 
on-orbit systems to support maneuvering 
options with adequate debris tracking. 

Finding Ml Present plans for rescue of 
Space Station personnel are not fully defined 
and may prove unsatisfactory without more 
precise and detailed planning, including 
necessary training and restrictions on the 
Station population. 

Recommendation Ml NASA should 
reexamine current plans to ensure that they 
meet the required safety criteria. If they 
do not, priority should be given to the 
protocols necessary to ensure rescue of the 
entire Station crew if the Station must be 
evacuated. 


7 



B. SPACE SHUTTLE PROGRAM 


LAUNCH AND LANDING 

Finding #5: The organization and man- 
agement of Space Shuttle launch operations 
at Kennedy Space Center (KSC) continue 
to benefit from a "continuous improvement 
process" managed by the Shuttle Processing 
Contractor (SPC). Greater employee 
involvement, better communications, 
strengthened employee training and the use 
of task teams, process improvement teams, 
and a management steering committee have 
been major factors in this improvement. 

Recommendation #5: A strong commitment 
to achieving "continuous improvement," 
despite budget cutbacks, should be 
maintained, at the same time recognizing 
the paramount priority of safety. 

Finding. More than 1,200 positions have 
been eliminated by the SPC since September 
1991 with only about 22 percent being 
achieved through involuntary separations. 
Present reductions have been achieved 
without an apparent adverse effect on the 
safety of launch processing. A comparable 
further reduction has been called for by the 
endofFY 1995. These additional reductions 
cannot likely be made without a higher 
probability of impacting safety. 

Recommendation #6: KSC and SPC 

management must be vigilant and vocal in 
avoiding any unacceptable impacts on safety 
as a result of cost reductions planned for 
FY 1995 and beyond. 

Findine #7: Several Space Shuttle processing 
problems at KSC have been attributed to 
human factors issues. KSC has recently 


formed a human factors task force to address 
these problems. 

Recommendation #7: KSC should ensure 
that the human factors task force includes 
individuals with training and experience in 
the field. Specific assistance should be 
sought from appropriate research centers 
and technology groups within NASA. 

Finding #8: KSC has developed a Structured 
Surveillance Program with the objectives 
of decreasing overall process flow time, 
increasing "first-time quality," and reducing 
cost. The program approach involves 
reducing the reliance on inspections for 
assuring quality. Structured Surveillance 
also is proving valuable as a tool for the 
effective deployment of quality assurance 
resources. 

Recommendation #8: The Structured 

Surveillance program should be continued 
and cautiously expanded. 

ORB1TER 

Finding, U9: Thermal damage was noted on 
the STS-56 (OV-103) elevon tiles. The 
slumping of the tiles indicated that the tile 
surface reached a temperature of approxi- 
mately 1,000° F. A temperature of this 
magnitude suggests that the temper and 
strength of the underlying aluminum 
structure could have been affected. 

Recommendation #9: NASA should initiate 
an analysis to determine the temperature 
profile of the underlying aluminum structure 
of the elevons and its possible consequences 
on the strength of the Orbiter structure. 


8 



FuuHngJUJk The Shuttle tiles have provided 
effective heat protection. However, the 
surface of the tiles is easily damaged and 
their shrinkage and distortion properties are 
not as low as desired. A new tile 
formulation with superior characteristics and 
possibly lower density is being explored. 

Recormnendation #10: NASA is encouraged 
to support the development of thermal 
protection tiles with improved mechanical 
properties and lower density than the current 
Shuttle tiles. 

Finding #11: NASA has made excellent 
progress on the engineering of the 
Multipurpose Electronic Display System 
(MEDS) for retrofitting Orbiter displays. 
However, there is no formal program to 
identify and include the safety advantages 
possible from a fully exploited MEDS. 

Recommendation till: A thorough review 
of the performance and safety improvements 
possible from a completely developed MEDS 
should be conducted based on crew inputs 
to system designers and researchers. A 
definitive plan should be developed to 
determine the schedule/cost implications 
of such improvements, and, if warranted, 
implementation should be scheduled as soon 
as possible. 

Finding, #12: The Improved Auxiliary Power 
Unit (LAPU) has experienced problems that 
have impacted Space Shuttle processing and 
logistics. 

Recommendation it 12: A new focus on 

increasing the reliability of the total IAPU 
system should be initiated and supported 
until the identified problems are solved. 

Finding if 13: In its response to the Panel’s 
last Annual Report, NASA indicated that 
"The program is reviewing the operational 


flight rules pertaining to Autoland, we have 
budgeted upgrades in software and hardware 
to improve the Autoland functionality, the 
life sciences organization is collecting 
physiological data and developing 
countermeasures to ensure adequate crew 
performance as the mission duration 
increases. We are confident with using 
Autoland in a contingency mode, but do not 
plan to demonstrate Autoland until a firm 
requirement mandates a demonstration." 

Recommendation Sill The focus of 
Autoland should not be exclusively on long- 
duration missions. NASA should formulate 
a complete set of operational procedures 
needed for emergency use of Autoland, 
taking into account a full range of 
operational scenarios and equipment 
modifications that might be beneficial. 
These include upgrades to the Microwave 
Scanning Beam Landing System (MSBLS) 
receiver group, and installation and 
certification of Global Positioning System 
(GPS) capability. 

SPACE SHUTTLE MAIN ! ENGINES 
(SSME) 


Finding #14j The SSME has performed well 
in flight but has been the cause of launch 
delays and on-pad launch aborts that were 
primarily attributable to manufacturing 
control problems. 

Recommendation #14: Continue to 

implement the corrective actions developed 
by the NASA and Rocketdyne manufacturing 
process review teams and devise techniques 
for detecting and/or precluding recurrence 
of the types of problems identified. 

Finding Ml 5: "Sheetmetal" cracks in the 
Phase II (current) High Pressure Fuel 
Turbopump (HPFTP) have become more 
frequent and are larger than previously 
experienced. This has led to the imposition 



of a 4,250-second operating time limit and 
a reduction of allowable crack size by a 
factor of four. Congress has delayed the 
funding for restarting the development of 
the alternate HPFTP. This new turbopump 
design should eliminate the cracking 
problem. 

Recommendation #15: Restart the 

development and certification of the 
alternate HPFTP immediately. 

Findine If 16: The approved parts of the 
engine component improvement programs, 
now organized into block changes, are 
progressing well. The Block I grouping will 
enter formal certification testing by mid- 
1994. Progress in the Block II effort is, 
however, hampered by the delay in restarting 
the alternate HPFTP development effort. 

Recommendation Ml 6: Continue efforts to 
complete all of the Block II development 
as soon as possible. 

Eindins. SUl Engine sensor failures have 
become more frequent and are a source of 
increased risk of launch delays, on-pad 
aborts, or potential unwarranted engine 
shutdown in flight. 

Recommendation #Z 7; Undertake a program 
to secure or develop and certify improved, 
more reliable engine condition sensors. 

Finding #18: The SSME health monitoring 
system comprising the engine controller and 
its algorithms, software, and sensors is old 
technology. The controller’s limited 
computational capacity precludes incor- 
poration of more state-of-the-art algorithms 
and decision rules. As a result, the 
probabilities of either shutting down a 
healthy engine or failing to detect an engine 
anomaly are higher than necessary. 


Recommendation #18: The SSME program 
should undertake a comprehensive effort 
to improve the capability and reliability of 
the SSME health monitoring system. Such 
a program should include not only improved 
sensors but also a more capable controller 
and advanced algorithms. 

ggg&f ROCOT MOTORS 

Finding Ml 9: A segment of an aft skirt will 
be used to test the effectiveness of an 
external bracket modification in reducing 
the overall bending stress of the skirt. The 
validity of using an 11-inch-wide test 
specimen to determine the effectiveness of 
the bracket is yet to be demonstrated. 

Recommendation HI 9: NASA should 

evaluate the first specimen test results to 
see if the strains in the weld area duplicate 
the strains found when a full aft skirt was 
tested in the Static Test Article-3 (STA-3) 
test. If not, another test approach should 
be pursued. 

Fjndinjt #20: A small crack was found in 
the inner wall of a forward Redesigned Solid 
Rocket Motor (RSRM) casing used for STS- 
54. Although slightly above the specified 
minimum detectable size, it was well within 
the acceptable limits for safe flight. This 
was the first time that a crack had been 
found in a forward segment, although cracks 
have previously been detected in other 
segments. The crack occurred during the 
manufacturing heat treatment process 
because of an inclusion in the parent 
material. 

Recommendation #20: The X-ray and 

magnetic particle inspection program criteria 
should be re-evaluated to assess their ability 
to detect cracks of the size found. 


10 


Finding, if 21: The Advanced Solid Rocket 
Motor (ASRM) project has been canceled. 
Some elements from the ASRM develop- 
ment have possible reliability and/or per- 
formance benefits if they were applied to 
the RSRM. 

Recommendation #21: Examine the potential 
applicability and cost-effectiveness of 
including selected ASRM design features 
in the RSRM. 

Finding #22: A chamber pressure excursion 
of 13 psi (equivalent to a thrust perturbation 
of 54,000 pounds) occurred in one of the 
RSRMs of STS-54 at 67 seconds of motor 
operation. A thorough investigation of the 
phenomenon was initiated and found that 
the most probable cause was the expulsion 
of a "slug" of liquid slag (aluminum oxide) 
generated during normal propellant 
combustion. Analyses showed that, even 
under statistical worst-case conditions, the 
safety of the Shuttle system is not 
compromised by such perturbations. Some 
testing and analyses are still scheduled to 
complete the investigation. 

Recommendation #22: Complete and 

document the investigation, and continue 
the established practice of monitoring 
chamber pressures and examining possible 
remedial actions. 



Fjndingjf23: A Super Light Weight External 
Tank (SLWT) has been proposed as a means 
of increasing the payload performance of 
the Space Shuttle. The tank would employ 
structural changes and be made from an 
Aluminum-Lithium (Al-Li) alloy. The 
SLWT appears to involve no safety decre- 
ment and low technical risk. 


Recommendation #23: The impact of the 
SLWT on the total system should be care- 
fully examined. 

I^GISttCSiP^ SUPPORT 

Finding #24: The Integrated Logistics Panel 
(ILP), which meets at 6-month intervals to 
report and coordinate the activities of the 
NASA Centers and their contractors, is 
performing a vital service in helping to 
control the entire Space Shuttle logistics 
program. 

Reammendation #24: The ILP should 

continue to be supported as an effective 
means of maintaining control and coordi- 
nation of the entire logistics program. 

Finding #25: The Vision 2000 cost-reduction 
program promulgated in May 1993 includes 
some major changes in the logistics and 
support areas. 

Recommendation #25: All changes that 

might impair logistics and support functions 
in the name of cost-cutting should be most 
carefully reviewed before implementation. 

Finding #26: Introduction of the Just-In- 
Time (JIT) manufacturing and shelf-stocking 
concept by NASA logistics at KSC is a 
potentially effective method of cost 
control. 

Recommendation U26: JIT should be used 
with caution and with a thorough under- 
standing of how it may impact the availability 
of Space Shuttle spares and hardware 
supplies. 

Finding ft 27: A review of the main logistics 
system performance parameters indicates 
that the program is generally performing 


11 



effectively. There are minor problems with 
zero balances, and repair turnaround times 
appear to be worsening. Cannibalization, 
with the exception of the IAPU, is at a 
minimum. Because of manufacturing and 
assembly quality problems, the number of 
spare engines is at a minimum and could 
become a logistics problem. 


Recommendation #27: Additional emphasis 
should be focused on repair turnaround time 
improvement and the reduction of canni- 
balization of SSME and IAPU components. 
NASA should continue the efforts to 
improve SSME manufacturing control and 
quality processes to preclude future engine 
availability problems. 



12 


C. AERONAUTICS 


Finding #28: The Dryden Flight Research 
Facility (DFRF) does not presently have a 
range safety policy and system for 
Unmanned Aerial Vehicles (UAVs) such 
as the Perseus, which is about to enter 
extensive testing. A working group under 
the DFRF Chief Engineer is examining the 
issue. 

Recommendation #28: DFRF should develop 
a range safety policy and system that are 
adequate to cover its contemplated UAV 
projects. 

Finding #29: The DFRF flight safety and 
mission assurance organization now reports 
directly to the Director of the facility. 


Recommendation #29: None. 

Finding, if 30: The X-31 aircraft exhibited 
some undesirable stability characteristics at 
higher subsonic speeds and an unexpected 
departure during a high angle of attack test. 
It also carries an insufficient quantity of 
hydrazine to run its emergency power unit 
long enough to return to the Edwards 
runway from the typically used flight test 
site. 

Recommendation #30: Future test objectives 
for the X-31 should be based on an 
assessment of the specific program objectives 
that can only be uniquely and safely per- 
formed by this aircraft. 



WM, T> PhOTOOR4 c 'm 


13 



D. OTHER 


Findine gill NASA’s past approach to 
software development has been to 
incorporate it within the individual programs, 
allowing them to determine their own 
requirements and development, verification, 
and validation procedures. In the future, 
as the complexity of NASA’s computer 
systems and the need for interoperability 
grow, this mode of operation will be 
increasingly less satisfactory. While NASA 
has some good software practices, it does 
not have the overall management policies, 
procedures, or organizational structure to 
deal with these complex software issues. 

Recommendation #31: NASA should proceed 
to develop and implement an Agencywide 
policy and process for software development, 
verification, validation, and safety as quickly 
as possible. 

Findinem: NASA has consolidated Life 
and Microgravity Sciences and Applications, 


including human factors in NASA Head- 
quarters Code U. A Space Human Factors 
& Engineering Program Plan is being pre- 
pared to guide future research activities. 
There remains, however, a clear need for 
more operational human factors input in both 
the Space Shuttle and Space Station 
programs. 

Recommendation #32: The Program Plan 
should be expanded to include support of 
the operating space flight programs to ensure 
that sufficient human factors expertise is 
included. 

Finding. #33: There are excellent examples 
of Total Quality Management (TQM) 
principles and practices in various contractor 
and NASA activities. 

Recommendation #33: NASA and contractor 
management should use the existing effective 
TQM implementations as models for their 
continuing TQM efforts. 


14 



III. INFORMATION IN SUPPORT OF FINDINGS 
AND RECOMMENDATIONS 



Ill 


INFORMATION IN SUPPORT OF FINDINGS 
AND RECOMMENDATIONS 

A. SPACE STATION PROGRAM 


Ref: Finding #1 

The Space Station program has been in a 
state of flux for most of the year, and now 
incorporates components and hardware 
designed and manufactured in Russia. The 
decision has also been made to place the 
Space Station in a higher inclination orbit 
so that it can be reached from both nations’ 
launch facilities. In addition, a Shuttle-Mir 
rendezvous and docking and 
astronaut/ cosmonaut exchange program has 
been initiated and is in the hardware 
manufacturing stage. These changes could 
have profound impacts on the entire life 
cycle of operations. These impacts must be 
carefully studied now so that sufficient 
provisions are made for them in the Space 
Station and Space Shuttle programs. Activity 
has been so rapid that there has been little 
opportunity to examine information about 
the design and operating philosophies of the 
two countries that pertain to safety, e.g., 
structural design margins, redundancy 
policies, systems integration, operating 
priorities, and environmental test specifi- 
cations. Also, the philosophy for Station 
crew emergency egress and return to Earth 
in the event of a major catastrophe remains 
of concern and should be reexamined in light 
of the new design. 

The requirements for the joint programs 
should be established from a thorough 
understanding of the underlying policies of 


design, test, and review in use by each 
country. Timely end-to-end systems analyses 
should be conducted to ensure adequate 
safety of components and interfaces. 
Adequate attention should be given to 
lessons learned from previous collaborations 
on Apollo-Soyuz and the more recent 
experience from U.S./Russian commercial 
aircraft integration efforts. 

Ref: Findings #2 and #3 

The Space Station Program has recognized 
that the hazard of possible impact with 
orbital debris cannot be ignored given the 
large size of the Station and the planned 
long period on-orbit. Accordingly, a 
specification of a probability of no 
penetration (PNP) from such impact of 0.95 
for a mission duration of 10 years was 
established. This duration represents a 
reduction from the originally planned Station 
life of 30 years. The Space Station, because 
of its large size, long mission life, and orbital 
altitude, is at greater risk than previous 
missions in low Earth orbit (LEO), and it 
is not certain whether the probability 
requirements can be met. 

An orbital debris program has been 
underway for a number of years with the 
objectives of defining* the environment, 
developing models, developing shielding 
concepts, and maintaining a data base. 
NASA, in conjunction with other agencies 


PMMMMftt, UA j*. WLAUK NOT 


17 



around the world, has compiled a 
comprehensive catalog of known objects in 
space with a diameter larger than 10-20 cm. 
In addition, they have developed detailed 
models of the distribution of debris of 
diameters less than 10 cm in terms of 
particle flux of various sizes as a function 
of altitude and latitude. These models can 
be combined with orbital data and the 
projected area and functional lifetime of a 
spacecraft to yield a probability of impact 
and an estimate of the mass and velocity 
of the impacting body. Hypervelocity test 
programs, carried out by NASA and other 
agencies, allow these data to be turned into 
damage assessments of structures, pressure 
vessels, and other vulnerable portions of a 
spacecraft. 

The flux of orbiting debris depends on 
several physical factors that make the 
environment vary, creating considerable 
uncertainty over time. The principal factor 
that serves to remove debris from orbit is 
the retarding force of the drag that is 
proportional to the area-to-mass ratio of the 
debris object and to the density of the 
atmosphere. The latter varies over time, 
driven largely by the 11 -year cycle of solar 
energy — the "sunspot cycle." The principal 
debris-increasing factor is the launch of new 
satellites and their accompanying rocket 
bodies, and other mission-related objects. 

To put this in perspective, the orbital 
lifetime at an altitude of 200 km can vary 
from a few months to over 10 years. At 
altitudes of 1,000 to 1,500 km, the life can 
exceed 1,000 years. Orbital debris flux is 
several times what was predicted 7 to 10 
years ago and is increasing at a rate of 2 
to 5 percent per year. Given the great 
changes in Station design and configuration 
and the uncertainties involved, the analyses 
to date for PNP and probability of no 
catastrophic failure (PNCF) are only 
rudimentary. Therefore, the real risks are 


not yet well understood. Also, given the cost 
and work involved in developing the Station, 
it may be unduly limiting to base risk 
analyses on a life of only 10 years. The 
Program should also explore longer lifetimes. 

The vulnerability of spacecraft surfaces to 
penetration by debris can be mitigated by 
shielding. Extensive, high-quality work has 
been done on developing shielding techni- 
ques to protect against objects of small 
diameter, e.g., 1 to 1.5 cm, at an average 
relative velocity of 10 km/sec. The initial 
shield design for the Station (0.050-inch thick 
aluminum bumpers with 4.5-inch standoff 
from an 0.125-inch aluminum manned 
module pressure wall) meets the present 
PNP requirements. Several advanced shield 
trade studies are being initiated to provide 
penetration protection, maintain schedule, 
and minimiz e launch weight for manned and 
u nmann ed critical elements. The launch 
weight can also be managed by augmenting 
shields on-orbit. It would seem prudent to 
give careful consideration to shielding 
designs that allow for the addition of debris 
protection on-orbit. It must also be noted 
that there is a range of debris, roughly 1-2 
cm up to 10-20 cm in diameter, for which 
adequate means of protection do not 
presently exist. 

It is reasonable to assume that not all 
penetration events will result in catastrophic 
failures, as the earlier studies had assumed. 
Studies show (for Space Station Freedom) 
that if the PNP of 0.95 is interpreted as a 
PNCF, it is equivalent to a PNP of 0.90. 
The allocation of PNP to modules depends 
on the severity of the consequences of 
penetration in each individual area. The 
allocation of PNP for each of the critical 
elements varies from 0.9920 to 0.9955 for 
the modeled configuration. Meeting these 
requirements could present severe weight 
and cost penalties as well as schedule 
constraints. 


18 



Further work is needed on fracture 
mechanics response of pressure vessels to 
hypervelocity impacts to determine which 
impacts would result in self-propagating 
cracks. The critical crack length for constant 
thickness aluminum skin is well charac- 
terized. However, the crack length for the 
waffle construction planned for the current 
design requires further analysis and testing. 
Unfortunately, FY 1993 funding for this type 
of fracture testing at MSFC has been frozen. 

In addition, detailed analyses need to be 
conducted of crew injury or loss of Station 
due to critical element penetration. Such 
elements will include manned elements and 
stored energy elements, with the manned 
elements requiring many assumptions on 
crew location and reaction. Tests are 
required to verify crew egress time and 
depressurization limit assumptions. The 
problem is multidimensional, requiring a 
particular focus on structural analysis and 
crew factors. Optimum solutions will depend 
on weight and schedule limitations. Careful 
consideration should be given to developing 
realistic scenarios of crew condition and 
possible response behavior as a function of 
the nature of various relevant penetrations. 
On the one hand, worst case analyses may 
lead to requirements that are too restrictive 
and costly. A failure to be sufficiently 
conservative, on the other hand, can expose 
the crew to unreasonable risk. 

A collision avoidance scheme involving 
ground radar tracking of potential impactors 
and maneuvering the Station to avoid impact 
has been proposed and may be technically 
feasible. Existing radar nets, however, are 
limited by geographic location and wave- 
length considerations to tracking objects 20 
cm and larger (equivalent radar cross- 
section) in LEO. Ability to detect, track, 


and catalog debris falls off rapidly below 
10 cm for these systems, which were not 
designed for this purpose. Because space- 
craft are vulnerable to serious damage from 
objects as small as 0.5 cm, such a scheme 
is only partially effective without greatly 
improved and potentially very expensive 
enhanced radar capability and added 
operational tracking personnel and 
equipment. Maneuvering of the Station also 
imposes dynamic effects on deployed solar 
and radiation panels and on microgravity 
experiment operations. 

Ref: Finding #4 

The Panel’s review did not uncover any 
detailed plan for rescue of Space Station 
personnel from the combined revised U.S. 
Space Station in the event of a catastrophic 
event. While acknowledging that Station 
plans have been in great flux this past year, 
information available to the Panel indicates 
that rescue plans center on either the 
continuous presence of an Orbiter or one 
or more small capacity Soyuz capsules. Both 
schemes are presently vague, giving rise to 
concern that neither will prove satisfactory 
without more precise and detailed planning, 
including necessary training and restrictions 
on Station population. 

NASA should determine the extent to which 
current plans meet the necessary safety 
criteria. To the extent they do not, priority 
should be given to constructing the protocols 
necessary to ensure rescue of the entire 
Station crew in the event of any credible 
need to evacuate the Station. Where 
pertinent, the excellent groundwork repre- 
sented by the requirements analysis for 
NASA’s Assured Crew Return Vehicle 
(ACRV) should be utilized. 


19 



B. SPACE SHUTTLE PROGRAM 


lAmc&mm .landing 

Ref: Finding #5 

The Panel has been following Space Shuttle 
launch processing for more than a decade. 
This predates the selection of Lockheed 
Space Operations Company as the Shuttle 
Processing Contractor (SPC). From this 
extended perspective, it is clear that 
considerable progress has been achieved in 
evolving a more reliable, orderly, efficient, 
and safe process. In particular, both 
management and workforce are committed 
to the proposition of "safety first, schedule 
second," as well as to the development of 
improved management procedures that build 
a greater sense of personal responsibility 
and pride among personnel. The principal 
challenge facing NASA and SPC manage- 
ment is to carry on this commitment to 
continuous improvement in the face of 
sharply reduced operating budget forecasts 
for the years beyond FY 1995 and externally 
imposed constraints. 

The number and severity of Space Shuttle 
processing incidents continued a downward 
trend in FY 1993. A total of 20 incidents 
were reported from October 1992 through 
September 1993. Eight were attributed to 
human error, seven to procedures 
(permanent changes to the procedures are 
planned to eliminate the deficiencies), one 
to equipment breakdown, three to design 
deficiencies (in each case, a design change 
has been made or is in process), and one 
unknown. For July, August, and September 
1993, the human error rate dropped to zero. 
Data on incident/accident frequencies during 
processing reveal no apparent correlations 
between frequency of incidents and work 


location, day of week, or particular shift. 

Since FY 1988, the number of labor hours 
required for Space Shuttle launch processing 
has been cut in half. Factors accounting for 
this decrease include continuing reductions 
in non-standard work, gradual elimination 
of overtime, maturing of task teams, greater 
predictability in work schedules, fewer 
unplanned events, and a greater experience 
base among the workforce. Most parts for 
planned work in the Orbiter Processing 
Facility (OPF) for each flow are now kitted 
in advance. Spare parts are available for 
on-time delivery a high percentage of the 
time. Engineers are more readily available 
to resolve unclear or incorrect work 
authorization documents (WADs). The STS- 
58 flow for Columbia was the best ever, 
although a last-minute glitch on a range 
safety computer forced a scrub. Areas of 
concern remain the Improved Auxiliary 
Power Units (LAPUs) that still require 
frequent repairs, sometimes involving a Self- 
Contained Atmospheric Protection Ensemble 
(SCAPE) suit operation, and SSME 
turbopumps that require inspection after 
each flight. 

The Task Team Leader (TI L) program has 
been instrumental in reducing the frequency 
of delays and incidents. The more positive 
work environment brought about by task 
teams has, in turn, contributed to more 
reporting of close calls. However, the need 
to make close call reporting even easier was 
stressed by the Panel and acknowledged by 
the SPC. Currently underway is a TTL- 
enhancement project to apply positive results 
of the TTL program to all processing areas 
and develop additional performance 
measures. 


20 


Ref: Finding #6 

More than 1,200 positions have been 
eliminated by the SPC since September 1991, 
with only a small portion coming from 
involuntary separations. A comparable 
further reduction has been called for by the 
end of FY 1995. The present reductions 
have been achieved without an apparent 
adverse effect on the safety of launch 
processing. The operative question is 
whether planned cost reductions, which will 
inevitably reduce the number of processing 
personnel, can be achieved without com- 
promising safety and whether recognized 
warning signs can indicate if safety margins 
are on the verge of being compromised. 
Based on information available to the Panel 
from its activities at Kennedy Space Center 
(KSC) during the year, it must be concluded 
that additional reductions of the magnitude 
already taken cannot likely be made without 
a higher probability of impacting safety. 

In addressing these questions, the SPC has 
stipulated the following criteria: safety is 
and will remain the number one priority; 
capability for eight flights /year must be 
maintained; all unique and critical facilities, 
e.g., both launch pads, must remain open; 
and continuing improvement must be 
sustained. An ongoing program to enhance 
employee/management communications and 
greater reliance on structured teamwork 
provides the foundation for the SPC’s 
continuous improvement process. 

Of the personnel reductions during calendar 
year 1993 up to the time of this writing, 
incentivized/voluntary separations comprised 
43 percent and normal attrition accounted 
for 35 percent. Involuntary separations 
amounted to 22 percent. Professional 
outplacement services have been provided 
to terminated employees as few, if any, of 
the terminated workers will likely be rehired. 
This also means there are few opportunities 


to bring in new workers. As the median age 
among existing workers continues to climb, 
the difficulty of recruiting and training 
younger employees who can develop the 
required knowledge and experience to 
sustain the program into the next century 
is a cause for concern. 

Developing metrics to provide an alert with 
respect to the safety impacts of personnel 
cutbacks is particularly difficult. A large 
number of activities are routinely measured 
and evaluated. Specific metrics to identify 
cost-reduction danger levels in advance have 
not been identified although NASA officials 
believe that failing to achieve key milestones 
will be one indicator of problems. At the 
request of the Administrator, the Panel will 
continue to work with KSC and the SPC on 
the definition of appropriate warning 
measures that can be used when making 
decisions on future cutbacks. 

Ref: Finding #7 

Several Space Shuttle processing problems 
at KSC have been attributed to issues related 
to human factors. KSC has recently formed 
a human factors task force to examine the 
problem of human errors in Space Shuttle 
processing and to develop remedies. 
Unfortunately, this task force does not 
include sufficient representation of trained 
human factors professionals. Human factors 
workshops for the task force members will 
be held in an attempt to remedy this 
deficiency. 

To provide appropriate impetus to its 
growing human factors efforts, NASA needs 
to increase the number of trained human 
factors professionals available to the 
programs. Workshops to acquaint managers 
and engineers with human factors principles 
such as those being contemplated for the 
KSC task force are an excellent way to 
create an understanding of the benefits that 


21 



this discipline can provide. They are not, 
however, a substitute for specialists who have 
training and experience in the field. 

Ref: Finding #8 

Quality assurance must be an inherent part 
of any safe aerospace endeavor. One of the 
traditional methods of quality assurance is 
to use inspectors to verify the work of 
technicians. In recent years, many complex 
aerospace operations, such as airline 
maintenance, have attempted to improve 
their cost-effectiveness by limiting inspections 
to only those that provide a true "value 
added" to safety. If redundant or non- 
productive inspections and signoffs are 
eliminated, costs are reduced, and the major 
responsibility for quality is placed on the 
technician doing the work. 

To decrease the overall process flow time, 
increase first-time quality, and reduce cost, 
KSC developed a Structured Surveillance 
program. The program approach involves 
reducing the reliance on hands-on 
inspections for assuring quality. As a result 
of the STS-51L accident and the additional 
requirements imposed on the return to flight, 
the number of inspections had been greatly 
increased. It was the judgment of KSC 
management that the Space Shuttle program 
had progressed sufficiently since the accident 
to warrant a cautious retreat from a position 
that essentially required mandatory in- 
spection of all operations and redundant 
inspections of many. The essence of the 
Structured Surveillance process is to identify 
low criticality ("Crit 3") steps that need not 
be inspected each time they are performed. 
Included are tasks that do not impact flight 
or mission safety and tasks that will be 
verified later in the processing flow. For 
these operations, mandatory inspections are 
deleted, but some level of random inspection 
is retained. 


To assess the effects of reduced reliance on 
inspections and to shed light on the 
Structured Surveillance process, KSC 
management undertook a Structured 
Surveillance Pilot Program. The goal of this 
program was to eliminate those inspections 
that, in the best engineering judgment, were 
not adding to the quality of the Space 
Shuttle processing, and to assess the impact 
on quality of those reductions. NASA and 
each of its major contractors at KSC were 
to implement a pilot Structured Surveillance 
plan and assess its effectiveness before the 
Center committed to a full-scale imple- 
mentation of the concept. This was a 
prudent course to follow. 

The Structured Surveillance program has 
now emerged from the pilot test stage. 
Based on experience to date, it appears that 
retaining the inspections inherent in the 
Structured Surveillance approach can help 
achieve at least the following objectives: 

• Providing more rapid feedback for 
control and process improvement 
than would be possible without some 
inspections. 

• Providing a reasonable basis for 
deploying quality assurance resources 
so that they cover the entire 
operation. 

• Developing estimates of first-time 
quality in those Crit 3 tasks from 
which inspections have been re- 
moved. 

• Developing KSC-wide estimates of 
performance that can be trended 
over time. 

• Determining award fee for the SPC. 


22 



Each of these objectives is inherently 
reasonable. Given the nature and frequency 
of the Space Shuttle processing tasks, 
however, it may not be possible statistically 
to develop trend measures to replace the 
results of 100-percent inspections. In order 
to develop valid and reliable estimates, an 
extremely rigorous statistical sampling plan 
would have to be developed and scrupulously 
followed. The operational reality at KSC, 
however, will not likely permit this degree 
of rigor. It is not certain that any facility- 
wide trend measures could be reasonably 
interpreted. Moreover, attempting the 
rigorous sampling plan needed for such trend 
measures may actually prove 
counterproductive to the other objectives 
of Structured Surveillance. 

Overall, it can be concluded that the 
Structured Surveillance concept is sound and 
worthy of continuation and cautious 
expansion. 



Ref: Finding #9 

Thermal damage was seen on the right and 
left hand elevon tiles after STS-56 (OV-103). 
The temperature indicators in these areas 
all exceeded the limit of the device, which 
is 290° F. The slumping of the tiles 
indicated that approximately 1,000° F must 
have been reached. This temperature is 
sufficiently high so that the temper and 
strength of the underlying aluminum may 
have been affected. In light of the 
observations from the STS-56 flight, an 
analysis should be conducted to determine 
the temperature profile seen by the 
aluminum structure of the elevons and its 
consequences on the strength of the 
underlying structure. 

STS-56 was a heavy-weight vehicle at a high- 
inclination (57°) orbit, resulting in increased 


aero-heating during re-entry. At the time 
of this writing, inspections of other tiles on 
the wing were being made to determine if 
they had been similarly affected. The values 
assumed for pre-flight calculations of aero- 
heating during re-entry of heavy-weight 
orbiters from high-inclination orbits should 
also be re-examined in light of the thermal 
damage experienced by STS-56. 

Ref: Finding #10 

An effective, reliable thermal protection 
system is essential to the success of the 
Space Shuttle or any recoverable and 
reusable spacecraft. Various approaches 
and schemes involving both metal and 
ceramic designs have been explored over 
the years. One of the most successful 
applications of ceramics has been the tiles 
developed for the Space Shuttle. The 
present ceramic refractory tile has been 
employed on the Space Shuttle for over 10 
years. While it has indeed proven to be an 
effective heat protection device, it has 
exhibited some operational deficiencies 
relating to brittleness and shrinkage. Also, 
it is heavier than desired. 

Rockwell International, under contract to 
NASA, is examining a tile using a refractory 
block insulation called Alumina Enhanced 
Thermal Barrier (AETB) that, when coated 
with Toughened Uni-place Fibrous Insulation 
(TUFI), has considerably improved 
toughness, durability, and shrinkage- 
distortion characteristics over the current 
Shuttle tiles. This tile also promises a 
significant saving in weight that could be 
reflected in increased Shuttle payload, a 
capacity much coveted for higher inclination 
orbits. It is therefore reasonable for NASA 
to support the development of thermal 
protection tiles with improved mechanical 
properties and lower density than the current 
Shuttle tiles. 


23 



Ref: Finding #11 

The existing Orbiter cockpit displays are 
based on 1970’s technology. They provide 
basic "raw" data to the crew using numerous 
discrete electromechanical gauges and "green 
screen" Cathode Ray Tubes (CRTs) 
displaying alphanumeric characters. Modem 
display technology has evolved using both 
color CRTs and flat panel liquid crystal 
displays (LCDs). These displays have the 
capability to integrate information that was 
previously shown on separate instruments. 
Through the use of color and graphical 
formatting, they can show trends and 
predictions to assist a pilot in "staying ahead" 
of the aircraft. 

The Space Shuttle program has embarked 
upon an instrument upgrade program that 
has been named the Multipurpose Electronic 
Display System (MEDS). The plan is to 
replace most of the discrete flight 
instruments and the existing CRTs with a 
set of flat panel color displays. The cost of 
MEDS has been variously justified on the 
basis of safety or as a remedy to the 
obsolescence of the existing instruments. 
In general, neither existing safety problems 
nor obsolescence can fully justify the cost 
of the retrofit, although MEDS should 
obviate any current obsolescence issues. 
MEDS also has the potential to improve 
significantly the operational safety of the 
Space Shuttle if enhanced capabilities are 
included in the displays. These capabilities 
include predictor information (trends), ascent 
data, and proximity operations information 
for on-orbit maneuvering. 

Unfortunately, NASA has chosen to defer 
any enhanced functionality for MEDS and 
has not even embarked upon a coordinated 
program to define the optimum formatting 
for MEDS displays. Instead, the program 
initially intended to emulate the existing 
electro-mechanical instruments. That 


approach has been abandoned in favor of 
a consensus approach to iterating to an 
interim set of display formats. If additional 
funding is ultimately available, the interim 
displays will be updated and/or enhanced. 

Research and experience with "glass cockpits" 
in aircraft have shown that flight crews 
acquire information differently from discrete 
electromechanical instruments and integrated 
CRT or flat panel displays. Safety problems 
may even be generated by attempting to 
simulate the conventional instruments on 
flat panel or CRT displays. 

There are clearly some impediments to 
optimizing the MEDS functionality. NASA 
has limited training assets that must be 
capable of supporting both the present 
instruments and the MEDS suite while 
conversion is underway. Adding functionality 
would require changes in the primary flight 
software that runs on the General Purpose 
Computers (GPCs) in order to provide the 
necessary inputs. Funding is limited. 

Notwithstanding the difficulties inherent in 
maximizing MEDS effectiveness, payback 
of the system’s development and installation 
costs will not be realized until and unless 
MEDS is allowed to reach its full potential. 
The present approach to MEDS display 
formatting delays some MEDS benefits and 
may even derail them. NASA should 
commit immediately to a thorough program 
of research and development to define the 
optimum MEDS utilization and plan for its 
realization as quickly as possible. NASA 
should include specialists from its research 
centers and representatives of the flight crew 
and avionics offices in this effort. 

In summary, the engineering of the MEDS 
looks good. The selection of experienced 
display suppliers appears prudent. However, 
NASA should reconsider the current plan 
to use MEDS as an electronic substitute for 


24 



the current flight displays, and consider a 
plan to use MEDS with all the potential 
advantages of improved operational displays. 

Ref: Finding #12 

Problems with the support of the Auxiliary 
Power Unit (APU) and with the updated 
version known as the Improved Auxiliary 
Power Unit (IAPU) are among the most 
serious impediments to satisfactory launch 
processing and logistics support of the 
Orbiter. The difficulties with the earlier 
APU were limited life (21 months installed 
or 18 hours turbine time), unsatisfactory 
turbine life due to blade root cracks, and 
Gas Generator Valve Module (GGVM) seat 
cracking and leaking. The IAPU was 
intended to provide a 75-hour life based on 
upgrades, including a new turbine wheel 
design, better life limits for the IAPU of 36 
months installed, and a redesigned GGVM. 
Nine IAPUs are currently installed in the 
Orbiters (three per vehicle) and eleven are 
in the repair cycle. 

Problems with the IAPU include shaft 
corrosion and continued GGVM difficulties, 
particularly valve seat failures. Overall, the 
IAPU appears to have failed to produce the 
reliability and service life improvements 
envisioned when it was authorized. As a 
result, another review of the IAPU appears 
to be required if this long-standing 
unreliability problem is to be resolved. 

Ref: Finding #13 

The Space Shuttle’s automatic landing 
(Autoland) system has never been tested 
to touchdown. The system follows the same 
guidance commands that are displayed to 
the pilots. Its design is intended to bring 
the Orbiter safely to the touchdown point 
but requires the crew to deploy the air data 
probes, landing gear, and drag chute 
manually and to control rollout guidance. 


There are several situations that could arise 
in which landing risk would be reduced by 
the use of an automatic landing system. 
These include: 

• Weather deterioration at the landing 
site after the deorbit burn. 

• Loss of visual access through the 
Orbiter’s windshield due to a 
hardware failure or smoke in the 
cabin. 

• Subtle incapacitation in which the 
crew’s ability to pilot the Orbiter is 
impaired but the crew and ground 
controllers are unaware of the 
impairment. 

• Obvious incapacitation in which the 
crew is awake and alert but 
recognizes that its ability to pilot the 
vehicle is diminished. 

• Total crew incapacitation such as an 
unconscious crew due to toxic fumes 
or low oxygen levels. 

The likelihood of each of these situations 
has not been systematically examined. The 
tacit assumption seems to have been made, 
however, that the chance of total, obvious 
or subtle incapacitation will increase as 
mission duration is increased with the 
availability of Extended Duration Orbiters 
(EDOs). 

NASA has now made the decision to 
automate the deployment of the landing gear 
and air data probes. The automated gear 
and probe deployment essentially addresses 
only the situation in which the crew is totally 
incapacitated. In virtually all other situations 
of subtle or obvious incapacitation, the crew 
should be capable of throwing the switches 
for deployment. The air data probe 
deployment is not very time critical, and the 
gear drop can be initiated early in difficult 
situations. 


25 



It appears that decisions regarding automatic 
l andin gs have been made based on minimal 
analyses or tradeoff studies. Situations of 
total crew incapacitation in which the crew 
is still alive and recoverable tend to be 
extremely rare. This is why no aircraft 
automatic landing system includes gear 
deployment (or arresting hook deployment 
for carrier landings). 

It would be worthwhile for NASA to reassess 
the entire automatic landing issue before 
committing funds to hardware or software 
changes relevant to future automatic landing 
versions. A working group including crew, 
engineering, life sciences, and human factors 
should be formed to estimate the likelihood 
of each of the scenarios that could require 
an automatic landing. This will help define 
the need for enhancements to the existing 
autoland system and/or its certification and 
validation through flight test. 

Also, NASA should consider upgrades to 
the Microwave Scanning Beam Landing 
System (MSBLS) receiver group to be of 
the same redundancy level (fail 
operational/fail safe) as the rest of the 
system components used in current auto 
approach/landing (pilot or autopilot) and 
the possible installation and certification of 
Global Positioning System (GPS) capability. 
The use of GPS will improve safety of the 
orbiter operation by allowing more flexibility 
in selection of alternate landing sites. 

MAIN ENGINES 

Ref: Findings #14 through #18 

The current or "Phase II" engine has 
performed well in flight this year. The 
number of in-flight anomalies has been 
reduced to about 1.5 per flight, and most 
of these involve instrumentation. Success 
in flight has not been matched on the 


ground, however. There have been a 
number of aborted launch attempts and 
launch delays attributed to the engine 
system. These include a cutoff caused by 
a contaminated check valve and another 
resulting from the failure of a speed sensor. 
Corrective action has been implemented for 
these problems. 

The launch delays were occasioned by 
problems in the control of manufacturing 
processes that resulted in events such as the 
installation of an incorrect dash-number part, 
mis-location of an etched marking on a 
bearing preload spring, and failure to install 
a turbine blade damper centerplate. Very 
thorough investigations, including a review 
of manufacturing with an operations 
standdown at Rocketdyne, have led to many 
revisions in the manufacturing processes and 
their control. The situation now appears 
to be under control. 

These events led to a series of re-inspections 
of delivered hardware that required at least 
partial disassembly of major engine com- 
ponents, particularly turbomachines. This 
caused a shortage of usable turbopumps 
which, in addition to re-inspection of engine 
nozzle welds, presents a hardware shortage 
problem that it is estimated will persist until 
mid- 1994. 

"Sheetmetal" cracks in the High Pressure 
Fuel Turbopump (HPFTP) have proven to 
be more of a problem than anticipated. 
Thorough review of the situation has resulted 
in a tightening of the specification for 
allowable crack size by a factor of four and 
the reduction of allowable operating time 
to 4,250 seconds. Of greatest concern is the 
generation of fragments that can, if they 
strike a turbine blade, cause blade failure 
and lead to a catastrophic engine failure. 
No such fragment generation has occurred 
before approximately 5,000 seconds of 
operation. 


26 



Sensor failure, both temperature and 
pressure, is all too frequent and is a 
consequence of the use of fine wire required 
in the design of thermistor temperature 
sensors and strain gauge pressure 
transducers. There is some work ongoing 
to develop more rugged thermocouple-based 
temperature sensor systems. More rugged 
pressure sensors are also needed. It would 
be highly desirable to increase the activity 
level for such developments. 

Several major component improvement 
programs currently underway have been 
grouped into two blocks in order to provide 
the most economical approach to their 
certification and incorporation under 
prevailing technical and budgetary 
conditions. Block I comprises the two duct 
(Phase II + ) powerhead without baffles, the 
single tube heat exchanger, and the 
Alternate High Pressure Oxidizer 
Turbopump (HPOTP). This block is 
scheduled to complete certification in 1995. 
Block II, comprising the Alternate HPFTP 
and the Large Throat Main Combustion 
Chamber (LTMCC), is scheduled to be 
certified in 1997. All components are 
currently in development testing except for 
the HPFTP which has been deferred by 
Congressional mandate. It had been hoped 
that the work on the HPFTP could restart 
during FY 1994, but as of the date of this 
writing, no authorization has been 
forthcoming. This jeopardizes the ability 
to have the Block II changes certified by the 
planned date. As a result, the safety benefits 
of the Block II component changes will likely 
be delayed beyond 1997 and may not be 
available for the first Space Station 
construction build. 

The Block I changes have completed 16 
development tests in engines in full-up Block 
I configuration. There are no major 
technical issues for the powerhead or the 
heat exchanger. The alternate HPOTP has 


progressed well in its development and has 
accumulated over 36,000 seconds of test time 
of which over 5,000 seconds have been at 
full power (109%). The introduction of 
silicon nitride balls in the pump end ball 
bearing has eliminated this bearing’s 
problems. There is still a propensity for the 
turbopump to exhibit synchronous vibration 
sensitivity, but it is believed that tightening 
clearance specifications in the bearing 
mounts will go far towards rectifying the 
situation. Cracking has occurred in the 
turnaround duct casting and the turbine inlet 
housing. Detail design changes have been 
incorporated to reduce the number and 
severity of the cracks generated. It is 
believed that the situation is under control 
with adequate fracture life achieved. 

The development of the LTMCC for the 
Block II engine is proceeding well. Thirty- 
four tests of the LTMCC have been 
completed with no significant anomalies 
encountered. The baseline design comprises 
the current Naraloy-Z liner with cast inlet 
and outlet manifolds. Two other approaches 
to the construction of the chamber are under 
consideration. One is that of the Marshall 
Space Flight Center (MSFC) Propulsion 
Laboratory comprising a one-piece structural 
casting (manifolds and throat section) with 
a "platelet" fabricated liner. The other is 
a Rocketdyne proposal employing a three- 
piece casting and the standard liner insert. 
Early in 1995, hot fire test results as well 
as demonstrated manufacturing schedule 
and cost benefits will be used to make a final 
decision as to which of the three approaches 
will be taken. 

As noted above, the alternate HPFTP 
development is still on hold but some 27 
engine-level tests have been conducted on 
the Technology Test Bed facility at MSFC. 
An acceptable start/shutdown sequence has 
been developed on the engine, and the pump 
has been operated to 109% power level and 


27 



to well below the allowable minimum net 
positive suction pressure at the inlet. In view 
of the sheetmetal cracking problem of the 
Phase II HPFTP, restarting the development 
is urgent. 

The SSME controller monitors the status 
of the engine during countdown and flight 
by sensing engine conditions through signals 
from a variety of temperature, pressure, 
position, and propellant flow transducers. 
It takes these inputs and, via a set of 
algorithms in its software, determines the 
"health" of the engine system. If it 
determines that an anomalous condition 
exists (e.g., violation of a "redline"), it will 
inhibit engine ignition or shut down an 
engine either on-pad or in flight in 
accordance with the logic of its programmed 
algorithms. Although some engine failure 
modes (such as a turbine blade breaking off) 
propagate too quickly for any remedial 
action to be taken, many modes can be 
sensed or predicted rapidly enough to 
prevent a catastrophic engine failure. 

The effectiveness of any such monitoring 
system may be expressed in terms of the 
extent to which it correctly classifies the state 
or "health" of the system being monitored. 
Both false alarms (a healthy engine being 
classified as unhealthy) and false positives 
(a failure being classified as healthy) are 
to be avoided, of course. With most 
monitoring systems, there is a tradeoff 
between false alarms and false positive rates. 
The more sensitive the monitoring system 
is made in an attempt to correctly identify 
real failures, the more prone it becomes to 
false alarms. 

The SSME controller system employs sensors 
of old technology (which are prone to failure 
as noted earlier), and its computer capacity 
precludes the incorporation of more capable 
algorithms and decision rules that are 
possible with more state-of-the-art 


technology. As a result, the probabilities 
of shutting down a healthy engine or failure 
to detect an engine anomaly are higher than 
necessary. Updating the sensors, controller 
hardware, and algorithms should provide 
cost-effective risk reduction. 

S®tt»BOCKET ROTORS 

Ref: Finding #19 

The aft skirt of the Redesigned Solid Rocket 
Motor (RSRM) failed at a 1.28 factor of 
safety (FOS) during a Static Test Article 
(STA-3) full-scale static test. The addition 
of an external bracket had been proposed 
to modify the aft skirt for the now canceled 
Advanced Solid Rocket Motor (ASRM) in 
order to achieve the design FOS requirement 
of 1.4. The installation of the external 
bracket for the ASRM was to be fully 
evaluated during the STA-4 static test. Since 
cancellation of the ASRM and STA-4 test, 
it has been proposed to use the external 
bracket to reinforce the aft skirt of the 
RSRM. 

An 1 l-inch segment of an aft skirt will be 
used in a specimen test to determine the 
effectiveness of the external bracket 
modification in reducing the overall bending 
stress of the skirt. The first test was planned 
for October 1993, but was delayed at the 
time of this writing until January 1994 
because of unforeseen slippage in the 
fabrication of the test fixtures and test 
articles. Implementation into the fleet will 
be based on these test results and funding. 

The first specimen test will provide insight 
as to whether the input loads at the ends 
and top of the test article are such that the 
strains in the critical weld correspond to 
those found during the STA-3 static test. 
If the strains and boundary conditions cannot 
be duplicated, other means of testing should 
be evaluated. Alternatively, the existing 


28 


1 .28-demons trated FOS could be accepted 
because the probability that 1.28 times 
design limit load will be exceeded is 
extremely remote. 

Ref: Finding #20 

A single crack was detected in a forward 
case segment (S/N 55) after the STS-54 
flight. The case segment had been flown 
four times and had been proof tested 
successfully during refurbishment. Other 
cracks have been found in RSRM casings, 
but this is the first time a crack had been 
found in a forward segment. 

It was determined that the crack occurred 
during the manufacturing heat treatment 
process because of an inclusion in the parent 
material. The crack size was 0.27 inches 
long by 0.10 inches deep. It was located 10 
inches from the clevis end and oriented 
longitudinally on the inner diameter of the 
case. This is the only membrane crack found 
in approximately 600 pieces of hardware that 
have been manufactured. The crack was 
less than half the critical flaw size. 

The detectable magnetic particle threshold 
is approximately 0.250 inches long by 0.125 
inches deep. Hence, a 0.27-inch-long crack 
in the inner wall of the case was in the 
detectable range for normal refurbishment 
inspections. Therefore, the inspection plan 
for the case should be re-examined to verify 
the minimum size crack that can be detected 
by X-ray and magnetic particle inspection. 

Ref: Finding #21 

With cancellation of the ASRM, it is logical 
to explore the inclusion in the RSRM of 
applicable design features that were planned 
for the ASRM. These candidate changes 
include redesigned aft case stiffener rings, 
case-to-nozzle joint redesign, the new nozzle 
design, and the use of hydroxyl-terminated 


polybutadiene (HTPB) propellant. These 
changes have the potential to increase 
reliability and/ or performance if applied to 
the RSRM. 

Ref: Finding #22 

Analysis of telemetered chamber pressure 
data from the right-hand RSRM of the STS- 
54 flight revealed a short duration 
perturbation of 13 psi at 67 seconds into the 
flight. The 13 psi is equivalent to a thrust 
change of slightly more than 54,000 pounds. 
A perturbation of this magnitude was higher 
than had been recently observed. Therefore, 
a thorough investigation was initiated. The 
investigation covered reviews of the pressure 
data from previous flights, the composition 
of the propellant in the particular motor as 
compared with earlier motors, manufacturing 
history, solid propellant combustion pro- 
cesses, flight dynamics, integrated vehicle 
stability, and control factors as well as 
structural margins throughout the Space 
Shuttle system. Meetings of NASA and 
industrial specialists in solid rocket motor 
combustion phenomena were convened to 
address the issue. Test programs to verify 
some of the hypotheses of the origin of the 
perturbation put forward during the reviews 
were undertaken. The investigations and 
reviews were veiy thorough, and some 
aspects continue. 

The review of the chamber pressure histories 
of all Space Shuttle solid rocket motors 
flown and tested on the ground (a total of 
145 motors) indicated that perturbations or 
"spikes" of approximately 1- to 2-second 
duration have occurred in every one of them. 
The "spikes" average between 5 and 7 psi 
superimposed on a base pressure of about 
670 psi. There were a number at about 10 
psi, with a few, including STS-54, at about 
13 psi. The spikes occurred on one or both 
of the motors of a flight set with no 
preferential side. However, during most 


29 



flights there were perturbations on only a 
single motor. Flight data also show that the 
perturbations occur between 65 and 75 
seconds into the burn. Statistical analyses 
of these data indicated that the 3-sigma 
excursion would be about 20 psi. 

All manufacturing processes, propellant 
chemistry, and control data indicate that the 
right-hand STS-54 motor was within the 
specification requirements. Vehicle dynam- 
ics and control analyses indicated that the 
thrust perturbations were well within the 
control capability of the flight control system 
even under greater than 3-sigma excursions 
in pressure. Similarly, structural analyses 
indicated that none of the established 
structural margin (factor of safety) 
requirements would be violated under such 
pressure excursions. 

A number of hypotheses as to the cause of 
the perturbations were put forward. Among 
the most plausible were: (1) the shedding 
of parts of the castable inhibitor located 
between the segments of the motors as the 
bum progresses, resulting in partial blockage 
of the grain bore or the nozzle throat as the 
parts are expelled, and (2) accumulation and 
expulsion of slag (aluminum oxide) gen- 
erated during combustion, resulting in partial 
blockage of the bore or nozzle throat. The 
bounding excursion of pressure that could 
be postulated was 31 psi, equivalent to 
124,000 pounds of thrust (this is the value 
used in the analyses noted above). 

Static tests of motors on the ground showed 
the presence of spikes such as those 
experienced in flight. Real-time radiography 
showed no evidence of breakup of the 
castable inhibitor, but did show evidence 
of a higher-density medium (slag) at the aft 
end of the motor. An increase of 
combustion chamber pressure 1 roughness 
after 50 seconds of burn was evidenced in 


radiographic, calorimetric, strain gage, and 
pressure gage data. Emission data from the 
exit plume taken by radiometers correlate 
with pressure data and also are indicative 
of a more dense fluid (slag) being ejected 
during a perturbation. In another test in 
which the nozzle was vectored, pressure 
perturbations corresponded to the two nozzle 
vectoring events at 68 and 74 seconds, 
respectively. 

Analytical modeling of the inhibitor breakup 
hypothesis yielded a requirement of inhibitor 
fragments of some 12-14 square feet in area 
to provide a pressure perturbation of the 
magnitude observed. The generation of 
fragments of this magnitude is difficult to 
support. The hypothesis of slag expulsion 
is supported by the following: (1) the 

generation of slag has been confirmed 
experimentally; (2) an annular "reservoir" 
is generated around the submerged portion 
of the SRM nozzle by completion of the 
combustion of the propellant in that volume 
at about 60 seconds into the burn, allowing 
for the collection of slag in this volume; (3) 
the burn rate of the grain shifts from 
regressive to progressive in the 50-55-second 
timeframe (this is conducive to the gen- 
eration of roughness in the combustion 
process); (4) the SSMEs are throttling up 
in the 50-second timeframe, providing a 
source of external acceleration; and (5) there 
is a vehicle pitch maneuver at about 65 
seconds (a standard event) that would result 
in the "tilting" of the annular "saucer" and 
expulsion of the liquid slag that had been 
collected. 

Although the slag expulsion hypothesis is 
supported by the data obtained to date and 
is a reasonable causal chain, additional 
testing, data review, and analysis continue 
as of this writing. The investigation of the 
phenomenon has been, and continues to be, 
thorough and objective. More important, 


30 



all indications are that Space Shuttle safety 
is not compromised even under the worst- 
case perturbations that can be supported 
by available data. 

— i 

Ref: Finding #23 

A Super Light Weight External Tank 
(SLWT) has been proposed for the Space 
Shuttle to provide additional payload 
performance. Present estimates are that up 
to 8,000 pounds of additional payload can 
be gained. The SLWT replaces 2219 
aluminum with 2195 and 2090 Aluminum- 
Lithium (Al-Li) alloys. The Al-Li alloy has 
improved fracture toughness, stress corrosion 
resistance, stiffness, and strength. The 
SLWT also includes a redesign of the liquid 
hydrogen tank to employ an orthogrid 
(square waffle) structure and tailoring of 
the thermal protection system insulation on 
the inter-tank to reduce weight. The use 
of Al-Li accounts for approximately half of 
the potential weight reduction because of 
its increased strength and decreased density. 
The structural and insulation changes 
account for the balance. 

The welding processes for the Al-Li alloys 
are similar to those used for 2219 aluminum. 
Even with the thinner skins, the decision 
has been made to leave the weld lands at 
the current thickness, which simplifies tooling 
aspects of the change and results in a 
stronger tank. With the marked increase 
in fracture toughness, especially at cryogenic 
temperatures, and the same weld lands, the 
critical flaw sizes should be greater than for 
the current lightweight tank. 

To determine the effect of the increased 
stiffness of the tank on the Space Shuttle 
system, 12 ground and flight load conditions 
have been analyzed. The preliminary results 


show the loads to be within the presently 
defined envelope. 

The entire program, including manufacturing 
procedures, weight reduction estimates and 
test plans, appears reasonable. With 
cancellation of the ASRM, the increased 
payload possible from the SLWT will be 
valuable for the Space Station in its new, 
high inclination orbit. However, the total 
system impacts of the SLWT need to be 
carefully examined. 

JDOG][STICS AND 

Ref: Findings #24 through #27 

The logistics and support programs for the 
Orbiter and other principal project 
elements— SSME, RSRM, and External Tank 
(ET)— all appear to be in satisfactory 
condition. Some lingering effects of the 
introduction of Orbiter OV-105 (Endeavour) 
have been overcome, and measurement of 
the principal tracking parameters of 
cannibalization, fill rates, zero balance, and 
repair turnaround time show satisfactory-to- 
excellent trends. In the parameter of 
"pending loss of repair/spare," there is some 
concern about certain subcontractors’ 
capability or willingness to continue mainte- 
nance or overhaul support. About 80 
contractors are being monitored in this 
context, and alternative solutions are being 
sought where necessary. 

More specifically, cannibalization affecting 
the Orbiter and the STS-54 through -57 
launches has been minimal, reflecting very 
favorably upon the efficiency of the controls 
instituted over the past 3 or 4 years. There 
are, however, some significant problems, 
such as the unreliability of the IAPU. The 
SSME is also having its share of problems 
in particular with the availability of high 
pressure oxygen and fuel turbopumps, engine 
nozzles, and valves. 


31 



Repair Turnaround Time (RTAT), which 
has a major effect upon spares availability, 
tends to fluctuate with the experiences of 
launch demands for components and the 
workload at the NASA Shuttle Logistics 
Depot (NSLD). A major part of the RTAT 
problem involves work at the Original 
Equipment Manufacturers (OEMs). 

On the management and administrative 
control front, the logistics and support system 
within NASA and its contractors has been 
excellent, and its control, trend reporting, 
and audit systems appear to be functioning 
well. Interrelationships, as evidenced by the 
half-yearly Integrated Logistics Panel (ILP) 
reports, show that the major contractors’ 
Integrated Logistics Systems (ILS) programs 
comport well with those of the principal 
NASA Centers— KSC, Johnson Space Center 
(JSC), and MSFC. Inventory management 
systems such as the Kennedy Inventory 
Management System (KIMS) are being 
constantly updated and performance 
measuring methods such as the Maintenance 
Trend Analysis Report (MTAR) provide 
good visibility into the effectiveness of the 
support. 

Frequent audit examinations and analyses 
are conducted, and the entire program is 
well monitored. One especially commenda- 
ble attitude on the part of the KSC ILS 
management is the interest in recruiting and 
training bright young people as analysts and 
statisticians and the encouragement thus 
afforded towards career paths in logistics. 

The ILP is the most important coordinating 
activity linking the project elements of the 
Space Shuttle program. The ILP, which 
serves as a forum for periodic review, meets 
at a selected NASA Center every 6 months. 
It is an invaluable source of knowledge about 
the entire logistics program, and provides 
cross-fertilization of ideas and standardi- 


zation of techniques among NASA Centers 
and their contractors. The ILP activity 
should be continued without diminishment 
or reduction in the frequency of its meetings. 
It is the one central source of knowledge 
of the interrelationship of the entire logistics 
and support organization. 

Cannibalization of built-up spare SSMEs 
is now a significant problem. Seven HPFTPs 
and seven HPOTPs were required to 
complete the build of available spare engines 
at the time of this writing. Engine nozzles 
are also in short supply. It should be noted 
that the manufacturers have already 
instituted action to correct many of these 
issues. It is essential to reinforce the 
ongoing recovery program to ensure better 
SSME component availability in the future. 

The Vision 2000 program, which has been 
subscribed to by key personnel at the 
manned Space Flight Centers, outlines Space 
Shuttle program organization and activities 
to the end of the century and beyond. It 
is, in effect, a "manifesto" for future 
management approaches and procedures, 
the underlying purpose being that of major 
cost reductions brought about by organiza- 
tional realignments and the elimination of 
duplication. 

While these reductions are obviously 
necessary to meet the funding available, they 
are going to be particularly harrowing for 
the logistics community, principally because 
of the increasing age of the Orbiter 
structures, engines, and components and the 
concomitant need for increased maintenance 
attention. Component obsolescence is also 
a major factor entailing more — not less — 
expenditure to meet the launch require- 
ments. The present logistics system has been 
arrived at over a period of more than 12 
years, and, in spite of certain inevitable 
it shortcomings, is working remarkably well. 
It would therefore appear prudent to avoid 


32 



any precipitous or arbitrary cutbacks that 
might imperil the overall logistics system. 

The NSLD continues to evolve as an 
essential part of the Space Shuttle program. 
It has added some advanced equipment and 
has provided the skills, together with the 
necessary training of personnel, for the 
overhaul, checkout, and failure identification 
of some 4,500 line items. Not only is the 
NSLD a guarantee of continued support of 
component overhaul when the OEM is 
unable or unwilling to offer a satisfactory 
program, but it is also highly cost effective, 
in part because of its close proximity to the 
launch site. 


One of the activities in the logistics field 
which has recently attained prominence is 
that of Just-in-Time (JIT) manufacturing 
and shelf stocking. This concept, which 
involves deferring restocking certain items 
until they are needed, offers many cost- 
effective advantages and is now widely used 
in the auto manufacturing and other 
production-line related activities. With 
careful control, JIT can be a valuable cost- 
saving technique for NASA, although its use 
should be confined to relatively easily 
available hardware type items or readily 
repairable components. 



33 


ORIGINAL PAGE 

BLACK AND WHITE PHOTOGRAPH 


C. AERONAUTICS 


Ref: Finding #28 

The Dryden Flight Research Facility (DFRF) 
is about to begin extensive testing of the 
Perseus Unmanned Aerial Vehicle (UAV). 
The Perseus is designed for high altitude 
and long-duration observation missions. The 
Perseus testing raises an issue of range 
safety. The flight termination system is a 
parachute that is deployed on command. 
The vehicle is then lowered to the ground 
by the parachute. The initial three flights 
are limited to 3,000 feet above ground level. 
The flight path is planned to be over Rogers 
Dry Lake (Edwards), avoiding approach 
patterns to the main runways. In addition, 
these flight boundaries are reduced for the 
case of wind drift for 30 knots from the 
3,000-foot altitude. Control of the termi- 
nation system would be by NASA, as it 
should be. Test flights would be controlled 
by the contractor and monitored by NASA. 
This procedure is probably adequate for the 
low-altitude flights, but a different approach 
must be developed for the high-altitude 
flights (probably above 10,000 feet) when 
wind drift can be quite high. The area 
around Dryden is no longer the totally 
barren territory it has been in the past. 
Dryden is depending on the contractor to 
bring in a proposal for flight safety in this 
part of the program which they would review 
and approve. 

At present, DFRF does not have a range 
safety policy for UAV flights similar to other 
unmanned test facilities. In earlier 
unmanned vehicle testing activity at DFRF, 
individual cases were evaluated and negoti- 
ated. If unmanned flights are to be 
continued at DFRF, there is a need for an 
overall range safety policy that includes 
definition of the areas, risk assessment, type 


of flight termination, and range safety 
displays and controls. In the case of Perseus, 
NASA has some control over the project. 
DFRF is concerned that there are other 
projects where DFRF is simply providing 
housekeeping with no control over the 
project, including safety. This situation 
cannot be tolerated without either NASA 
or the Air Force having control of range 
safety. This issue should be addressed as 
part of the DFRF Range Safety Policy. The 
Director of DFRF has recently established 
a committee under the Chief Engineer to 
develop a UAV range safety policy. 

Ref: Findings #29 through #30 

NASA’s flight research facilities are among 
the finest in the world. During the past year, 
the Panel visited only DFRF which has 
undertaken, with great success, some of the 
most challenging and high-risk flight projects 
ever initiated with a commendable safety 
record. This has led to the designation of 
DFRF as an independent center. 

DFRF is currently engaged in a number of 
interesting projects, one of which involves 
post-stall flights. This is a unique flight 
regime made possible by advances in aircraft 
and engine technology and can only be 
researched adequately in free flight. 

Other programs of importance to the future 
of the nation’s commercial and military 
aviation stature involve total integration of 
power and flight controls, boundary layer 
transition studies, and sonic boom studies. 
In the interest of keeping the United States 
competitive in the world aircraft market, 
it is essential to maintain the flight research 
capability at NASA’s research centers. The 
use of flight readiness reviews for programs 


34 



and technical briefings before each test flight 
at DFRF is an excellent way to minimize 
test flight risk. 

Much progress has been made in the various 
DFRF flight research programs over the past 
year. As part of the propulsion control 
aircraft (F-15) program, a landing was made 
on April 21, 1993, using only propulsion 
control. This work is very important from 
a safety standpoint and should be continued. 
Aircraft of the future may be designed with 
characteristics that enhance propulsion 
control power. This will allow for possible 
landings with structural damage, combat 

damage, or a faulty aerodynamic control 
system. 

The performance-seeking, propulsion- 
controlled testing is not directly related to 
safety. It does, however, offer excellent 
potential for efficiency gain in civil and 
military aircraft operations. The multi-axis 
thrust vectoring nozzle research should add 
enormous impetus to both the propulsion- 
controlled and performance-enhancing 
research efforts. 

The X-31 aircraft exhibited undesirable 
stability characteristics at higher subsonic 
speeds and was therefore limited well short 
of the full maneuvering design envelope. 
Also, an unexpected departure was 
experienced during a high alpha test. This 
departure could not be duplicated or 
explained by analysis but is an excellent 
example of the necessity of flight testing. 
Another potential safety issue is an 
insufficient quantity of hydrazine to run 
emergency power unit (which furnishes flight 
electrical power and therefore controls 
power in the event of an engine failure) long 
enough to return to the Edwards runway 
from the test site. If the aircraft cannot 
make the runway, the pilot must bail out. 


This situation represents a risk that has been 
deemed acceptable by the program. 

DFRF should evaluate the specific program 
objectives that can be uniquely performed 
by the X-31 and cannot be performed by 
the F-18 or F-15 vectored thrust aircraft. 
The results of this study should be the basis 
of continued testing of the X-31 and the 
continued acceptance of risk. The F-18 High 
Angle of Attack Research Vehicle (HARV), 
another thrust vectoring program, has 
completed over 82 flights with successful 
maneuvers up to 70° angle of attack. The 
software programming of the flight control 
system has the potential to contribute 
significantly to the design of advanced flight 
control laws for future aircraft. The HARV 
program provides a good example of risk 
analysis and rational risk acceptance. The 
possibility of spin chute interference with 
thrust vectoring equipment is an example 
of a risk that was properly assessed and 
accepted. 

The F-16XL supersonic laminar flow control 
program is another example of the systematic 
approach that Dryden follows to control the 
inherent risks connected with experimental 
flying. 'Hie Dryden tec Operations Manual 
clearly identifies a procedure to be followed 
for identifying hazards and taking the 
necessary actions to reduce them to an 
acceptable level, up to and including a 
redesign of the system. 

The CV-990 Space Shuttle tire test program 
is progressing well. Many taxi tests preceded 
the initial flights, and six flights had been 
accomplished at the time of the Panel’s 
review in August. A primary concern of the 
Panel had been a braking problem during 
a rejected takeoff and subsequent fire that 
destroyed a previously-owned NASA 990 
aircraft. A decision was made to carry no 


35 


fuel in the center tanks — ones likely to be 
struck in the event of a test gear or CV-990 
gear failure. Also, "armor plating and 
automatic failure detection hardware and 
software have been incorporated in the 
system. 

Another of the unique programs ongoing 
at DFRF is the SR-71 flight program, which 
had completed 28 flights (both SR-71 A and 
SR-71B models) at the time of this writing. 
There are a number of science payloads and 
experiments that the aircraft are now testing 
or have plans for testing. The aircraft has 


unique capability for high-altitude (84,000 
feet) and high-speed (Mach 3) flight and 
should prove invaluable for testing sonic 
boom theories and codes needed to design 
an acceptable high-speed civil transport 
aircraft. This use of the SR-71 aircraft 
should be viewed as a flying laboratory and 
funded as a unique national asset. Other 
programs reviewed during the visit to Dryden 
include the Small High Altitude Science 
Aircraft (SHASA), the Perseus UAV, and 
the Advanced Actuation/Fiber Optics 
Systems. 




36 



D. OTHER 


Ref: Finding #31 

NASA programs have long had a significant 
dependence on software processes. That 
dependence is now increasing rapidly, and 
will continue to do so for the foreseeable 
future. With the increasing capabilities of 
computer systems and their decreasing cost, 
weight, space and power consumption, many 
more functions are being controlled through 
software, and the size and complexity of the 
software is correspondingly greater. In 
addition, and at least partially as a result 
of the widespread increase in software 
control of devices and functionality, com- 
puter and software systems increasingly need 
to be interoperable, not only within NASA, 
but with other agencies and commercial and 
academic organizations that will use or 
create space system data. The multi-national 
Space Station program, including the 
Russians, may place particular demands on 
interoperability because the Russian 
computing capability and philosophy differ 
from NASA’s. 

NASA’s past approach to software 
development has been to incorporate it 
within the individual programs, allowing 
them to determine their own requirements 
and development, verification, and validation 
procedures. In the future, this mode of 
operation will be increasingly less satisfactory 
as the complexity of NASA’s computer 
systems and the need for interoperability 
grow. It is timely to examine closely the 
overall structure and management of 
software processes within NASA. 

The need for a more comprehensive view 
of software development processes has been 
cited by several different organizations over 
the past several years, including the 


Aerospace Safety Advisory Panel (ASAP), 
the General Accounting Office, and most 
recently, a subcommittee of the National 
Research Council. These groups have called 
for a variety of improvements to the software 
development process, including software 
hazard analyses, independent verification 
and validation, more central oversight and 
planning, and a variety of other potential 
improvements. 

Most of the recommended changes in 
software policy to date have been made in 
the name of safety within the scope of a 
single program, e.g.. Space Shuttle. The 
emerging demands for interoperability and 
the ability even to achieve the necessary 
functionality dictate a broader safety need 
that even more strongly argues for greater 
centralization of software policy setting. 
Interoperability will require coordination 
among programs on such matters as data 
definitions, representations, and access. This 
cannot be done within the scope of in- 
dependent program management structures, 
but will require some central coordination. 

NASA does not now have the overall 
management policies, procedures, or 
organizational structure in place to deal with 
these broad issues. Although relevant work, 
e.g., a software assurance plan and software 
development guidelines, has been in work 
for some time, progress has been slow and 
still does not fully address all of the broad 
Agencywide software issues. In view of 
growing needs for interoperability along with 
continuing needs for software safety 
assurance, this is an important limitation. 

Recently, however, NASA has indicated a 
consideration of an internal effort to develop 
the needed polices, guidelines, and 


37 



structures, and has revitalized efforts at 
creating software assurance and development 
processes. This contemplated effort appears 
appropriate and should be put in place with 
the necessary resources as quickly as 
possible. 

Ref: Finding #32 

NASA has consolidated Life and 
Microgravity Sciences and Applications in 
NASA Headquarters Code U. Its responsi- 
bilities include human factors activities. A 
Space Human Factors & Engineering Program 
Plan is being prepared to guide future 
research activities. There remains, however, 
a clear need for more operational human 
factors input in both the Space Shuttle and 
Space Station programs. 

NASA has needed a coordinated human 
factors effort for some time. The existence 
of a plan, however, is of little value unless 
it is adequately funded and universally 
accepted. At present, there are insufficient 
resources allocated to human factors to 
support either the long-term goals of the 
plan or the essential short-term integration 
of human factors within the operating space 
flight programs. 

NASA’s human factors research efforts, 
particularly at Langley and Ames, are 
excellent. These efforts, however, particu- 
larly related to space, are typically viewed 
as basic research by the operating programs 
and spaceflight centers. This assessment 
is partially true and partially the result of 
the "image" that human factors researchers 
within NASA have conveyed. The space- 
flight programs must adopt a specific goal 
orientation with a decided "product” focus. 
The research programs are seen as a search 
for knowledge that sometimes leads to useful 
spinoffs but cannot be relied upon to meet 
deliverables and achieve budget or schedule 
targets. 


While there may be some validity to these 
prevailing perceptions, there are also 
compelling counterexamples. The problem 
is that NASA human factors research and 
development efforts continue to focus 
primarily on long-term goals. What NASA 
needs immediately is the integration of its 
human factors expertise into the operating 
space programs. Prime examples of efforts 
that could benefit from human factors inputs 
are the Multipurpose Electronic Display 
System (MEDS) for the Orbiter and the 
Space Station systems integration. In spite 
of significant expenditures to retrofit flat 
panel displays into the Orbiters, no funds 
were allocated to designing optimum display 
content or format. There is essentially no 
human factors input to the MEDS program 
in spite of the fact that the NASA research 
centers have been studying aircraft display 
formats for a long time. 

The Space Human Factors & Engineering 
Program Plan should be revised to include 
a focus on the short-term integration of 
NASA’s human factors research assets into 
the operating space programs so that the 
plan is more responsive to NASA’s needs. 
This should be its most immediate objective. 
In order to provide appropriate impetus to 
its growing human factors efforts, NASA 
needs to increase the number of trained 
human factors professionals available to the 
programs. 

Ref: Finding #33 

In the process of conducting other program- 
or activity-focused reviews, the Panel has 
encountered various applications of the Total 
Quality Management (TQM) approach. The 
Panel has also been asked by the NASA 
Administrator for its impressions concerning 
the application of TQM by NASA organi- 
zations and contractors. What follows is a 
summary of the observations and comments 
by ASAP members to this request and is 


38 



not intended as a comprehensive review of 
NASA TQM activities. 

Martin Marietta Mir fipud Assembly Facility 
Two years ago, the Panel was first briefed 
on the TQM program being implemented 
by Martin Marietta Michoud Assembly 
Facility employees in constructing the 
External Tank (ET) for the Space Shuttle 
program. In May 1993, Panel representatives 
returned for an update. On both occasions, 
the Panel was extremely impressed with the 
structure, philosophy, and spirit of the 
Martin Marietta implementation effort. 

The total effort has been renamed Mission 
Success 2000. In May, the Panel representa- 
tives were shown specific results of the work 
of a Performance Refinement Team (PRT) 
and a Application Process Team (APT) 
dealing with the application of the thermal 
protection system to the tank. Both teams 
have achieved significant and measurable 
advances as a result of their TQM efforts. 
The high morale among hands-on employees 
witnessed 2 years ago is still evident. It has 
been buttressed with the pride and 
recognition of accomplishment This appears 
to have strengthened the process by 
reinforcing its benefits to the workforce. 

IhiQkol Corporation Solid Rockr.t Mntnr 
Facility (Utah). As an integral element in 
its RSRM program, Thiokol has committed 
itself to a comprehensive TQM effort to 
upgrade quality in manufacturing the motor 
segments and associated equipment and to 
ensure improved levels of industrial safety 
in the manufacturing process. 

Thiokol has set up 24 improvement centers 
m the manufacturing process. Each center 
establishes and controls its own 3-year 
improvement plan. Each improvement 
center competes for a share of a significant 
monetary pool. 


Results of the improvement process are 
displayed on the work floor. The excellent 
charts show a variety of quantitative 
measures, e.g., reduction of scrap, repair, 
rework, problem reports, and facility 
cleanliness, that are specific to each work 
center. A Safety Management System (SMS) 
has also been organized to prevent and 
control hazards at the point of manufac- 
turing. Overall, quality has been improved, 
unnecessary inspection points eliminated, 
and Solid Rocket Booster stack time at KSC 
has been decreased. 

Rockwell Palmdale . Rockwell International 
(RI) has made a concerted effort to 
incorporate TQM principles into its 
operations. The major goals are productivity 
improvement in terms of cycle time and 
quality, and human/organizational improve- 
ment as reflected in commitment, assumption 
of responsibility, and flexibility of the 
workforce. It appears that the RI TQM 
program could benefit from the development 
and dissemination of additional performance 
measurements. 

Shuttle Processing Co ntractor— Kennedy 
Space Center. The Lockheed Space 
Operations Company as the Shuttle 
Processing Contractor (SPC) has designed 
a continuous improvement process built 
around the functions of analysis, employee 
involvement, improvement, measurement, 
customer satisfaction, capabilities, and 
processes. These functions are carried out 
through a network of teams, beginning 
with the top management steering team and 
flowing through natural management teams, 
task teams, process improvement teams, and 
natural work teams. The SPC has invested 
in extensive employee training in im- 
plementing a task team concept. Various 
devices skip-level meetings" (bypassing 
immediate supervision), specialized news- 
letters, and program/corporate status re- 
ports— have focused on improving employee 


39 


communications. To a much greater degree 
than previously, technicians, working in task 
teams, process improvement teams, and 
natural work teams, are actively engaged 
in developing more efficient and safer work 
procedures. Communications among shop 
floor technicians and engineering personnel 
have improved significantly. A shop floor 
data collection system is also beginning to 
develop reliable measures of problem areas 
and processing improvements. 

Prvden Flight R esearch Facility. Without 
specifically referring to 'TQM" by name, the 
basic principles of TQM are being effectively 
employed at DFRF. The management at 
Dryden has done an outstanding job of 
instilling a high degree of teamwork into 
the Facility’s flight activities. 


Summary . There is evidence of effective 
application of TQM principles and practices 
in various NASA activities. However, use 
of the term itself is of little value unless it 
is accompanied by top management s 
determination to make its application and 
implementation more than shallow, empty 
phrases. In particular, management must 
be committed to building a culture of trust 
and personal responsibility among the 
workforce. This requires leadership, training, 
innovation, patience, honesty, a willingness 
to change, a credible program of reward and 
recognition, and the commitment to per- 
formance measurement. This requires 
knowledge and application of the tools that 
bring about and validate meaningful per- 
formance and product improvement. 



40 


ORIGINAL PAGE 

BLACK AND WHITE PHOTOGRAPH 



IV. APPENDICES 



APPENDIX A 

NASA AEROSPACE SAFETY ADVISORY PANEL MEMBERSHIP 


CHAIRPERSON 
MR. NORMAN R. PARMET 

Aerospace Consultant 
Former Vice President, Engineering 
Trans World Airlines 


MEMBERS 

MR. RICHARD D. BLOMBERG 

President 

Dunlap and Associates, Inc. 

MR. CHARLES J. DONLAN 

Aerospace Consultant 
Former Deputy Director 
NASA Langley Research Center 

VADM ROBERT F. DUNN, USN (RED 

Aerospace Consultant/ Author 
Former Deputy Chief of Naval 
Operations Air Warfare, Pentagon 

DR. GEORGE J. GLEGHORN 

Aerospace Consultant 

Former Vice President & Chief Engineer 

Space & Technology Group, TRW, Inc. 

MR. PAUL M. JOHNSTONE 
Consultant, Former Senior Vice 
President, Operations Services 
Eastern Airlines, Inc. 

DR. NORRIS J. KRONE 

President 

University Research Foundation 

MR. MELVIN STONE 
Aerospace Consultant 
Former Director of Structures 
McDonnell Douglas Corporation 

DR. RICHARD A. VOLZ 

Chairman, Department of 
Computer Sciences 
Texas A&M University 


CONSULTANTS 

MR. JOHN A. GORHAM 

Aerospace Engineering 
Gorham Associates 

DR. SEYMOUR C. HIMMEL 

Aerospace Consultant 
Former Associate Director 
NASA Lewis Research Center 

MR. JOHN F. MCDONALD 
Former Vice President 
Technical Services 
TigerAir, Inc. 

DR. JOHN G. STEWART 
Director 

Consortium of Research Institutions 

DR. WALTER C. WILLIAMS 

Aerospace Consultant 
Former NASA Chief Engineer 
NASA Headquarters 

EX-OFFICIO MEMBER 

MR. FREDERICK D. GREGORY 

Associate Administrator for 
Safety and Mission Assurance 
NASA Headquarters 

STAFF 

MR. FRANK L. MANNING 
Staff Director 

MS. PATRICIA M. HARMAN 

Staff Assistant 


A-l 




APPENDIX B 

NASA RESPONSE TO MARCH 1993 ANNUAL REPORT 


SUMMARY 

NASA responded on August 23, 1993 to the "Findings and Recommendations" from the 
March 1993 Annual Report. NASA’s response to each report item was categorized by 
the Panel as "open," "continuing," or "closed." Open items are those on which the Panel 
differs with the NASA response in one or more respects. Continuing items involve 
concerns that are an inherent part of NASA operations or have not progressed 
sufficiently to permit a final determination by the Panel. These will remain a focus of 
the Panel’s activities during the next year. Items considered answered adequately are 
deemed closed. Those items no longer applicable because of significant programmatic 
changes are denoted "N/A." 

Based on the Panel’s review of the NASA response and the information gathered during 
the 1993 period, the Panel considers that the following is the status of the 
recommendations made in the 1993 Report: 


RECOMMENDATION 

NUMBER 

SUBJECT 

STATUS 

1 

Space Station Freedom (SSF) Program Safety and 
Mission Quality 

N/A 

2 

SSF Assured Crew Return Vehicle 

N/A 

3 

SSF Orbital Replaceable Units 

CLOSED 

4 

SSF Integrated Station Executive software 

CONTINUING 

5 

SSF Data Management System 

N/A 

6 

SSF Timeliner software 

N/A 

7 

SSF Software Support Environment 

CLOSED 

8 

SSF Integrated Logistics System 

CLOSED 

9 

Orbiter automated landing system (AUTOLAND) 

CONTINUING 

10 

Shuttle Multipurpose Electronic Display System 

CONTINUING 

11 

Shuttle Improved Auxiliary Power Unit (IAPU) 
spares 

OPEN 

12 

IAPU Gas Generator Valve Module 

CONTINUING 

13 

Orbiter pressure and strain gage measurements 

CONTINUING 


B-l 

































RECOMMENDATION 

NUMBER 

SUBJECT 

STATUS 

14 

Space Shuttle Main Engine (SSME) inspection and 
test procedures 

CLOSED 

15 

SSME major component improvement programs 

OPEN 

16 

Flight Support Motors 

CLOSED 

17 

Redesigned Solid Rocket Motor nozzle O-ring 
sooting 

CLOSED 

18 

Advance Solid Rocket Motor (ASRM) aft skirt 
factor of safety 

N/A 

19 

ASRM stress corrosion cracking 

N/A 

20 

ASRM manufacturing system software requirements 
document 

N/A 

21 

KSC Structured Surveillance Program 

CLOSED 

22 

Use of task teams at KSC 

CLOSED 

23 

Orbiter Processing Facility lighting 

CLOSED 

24 

NASA Shuttle Logistics Depot 

CLOSED 

25 

Space Shuttle logistics system 

CLOSED 

26 

NASA Headquarters Aircraft Management Office 

CLOSED j 

27 

Review of aging aircraft 

CLOSED 

28 

Dryden Flight Research Facility risk reduction 
measures 

CLOSED 

29 

Office of Safety and Mission Quality organization 
structure 

CLOSED 

30 

Simplified Aid for EVA Rescue (SAFER) 

CLOSED 

31 

Virtual reality systems 

CLOSED 

32 

Human factors issues 

OPEN 

33 

Software independent verification and validation 

CONTINUING 

34 

Integrated long-range infrastructure plan 

CONTINUING 

35 

Complete system testing 

CLOSED 

36 

Total Quality Management 

CONTINUING 


B-2 



























































RECOMMENDATION 


NUMBER 

SUBJECT 

STATUS 

37 

Strategic Considerations for Support of Humans in 
Space and Moon/Mars Exploration Mission (Life 
Sciences Research and Technology Program, 
Volume 1) report recommendations 

CLOSED 


B-3 







NASA 

National Aeronautics and 
Space Administration 

Washington. D C. 

20546 

Office of the Administrator 


AUG 2 3 1993 


Mr. Norman R. Parmet 
Chairman 

Aerospace Safety Advisory Panel 
5907 Sunrise Drive 
Fairway, KS 66205 


Dear Mr. Parmet: 

In accordance with your introductory letter to the 
March 1993 Aerospace Safety Advisory Panel (ASAP) Annual 
Report, enclosed are NASA's detailed responses to Section H, 
"Findings and Recommendations." The responses reflect the 
status and intentions of NASA before Space Station redesign. 
Changes in Space Station design and management structure 
resulting from the work of the Redesign Team may dictate 
future changes in detail, if not in spirit, of the* responses. 

In the case of the Advance Solid Rocket Motor (ASRM) program, 
the current prospects for funding are uncertain. If the 
program is terminated, the ASRM responses will no longer apply. 

The dedication of the ASAP members to NASA continues to be 
commendable. Your recommendations have helped reduce risk and 
improve safety in NASA human/robotic programs and projects. 

Your efforts are greatly appreciated. 


We thank you and your fellow Panel members for your 
valuable contributions and look forward to your next report. 

As always, ASAP recommendations are highly regarded and receive 
the full attention of our senior management personnel. 



Administrator 


Enclosure 


B-4 


1993 AEROSPACE SAFETY ADVISORY PANEL REPORT 
FINDINGS AND RECOMMENDATIONS 


A. SPACE STATION FREEDOM PROGRAM 


Finding #1 : The Space Station Freedom program (SSFP) has progressed considerably in 
the past year. The entire effort now exhibits a degree of stability and continuity that has 
previously been absent. The program-level Safety and Mission Quality (S&MQ) 
function, however, is still not being addressed effectively. 

Recommendation jj : NASA should place special emphasis on better integration of the 
S&MQ function into the overall Space Station program. Attention should be given to 
assuring that the S&MQ function is an inherent part of the design and production 
processes. Areas to be addressed with significant urgency include software verification 
and validation, requirements for the caution and warning (C&W) system, and normal 
and contingency operations planning. 

NASA Response: The Space Station Redesign Team has defined a streamlined 
management structure that should result in significant safety and mission assurance 
(S&MA) cost savings during the program development and implementation phase. The 
Space Station program will fund the technical program requirements (reliability and 
safety engineering activities), while program oversight/assurance will be funded by the 
Headquarters Office of Safety and Mission Assurance (OSMA), or lead or host Center 
Directorate. 

A formal Space Station Management Plan developed during the transition period will 
ensure a clear understanding of the new management structure. This plan will serve as a 
basic governing document that clearly defines all organizational roles and responsibilities. 

The new S&MA structure will consist of two organizations: Assurance and Safety and 
Reliability Engineering. The Assurance organization will provide independent program 
assessment and will report directly to Headquarters OSMA. This organization, 
collocated at the host or lead Center, will support the Station Program Manager. Its 
primary responsibility will be an oversight function that encompasses establishment of 
safety and reliability requirements in concert with the Headquarters OSMA policies and 
guidelines, independent assessment and program risk analyses, quality assurance 
processes, and hardware/software certification, including independent verification and 
validation. The Safety and Reliability Engineering organization will be assigned to the 
Space Station program as part of the Systems Engineering organizations. It will ensure 
that the reliability and safety engineering function is inherent to the overall design 
process. 

The new management structure will continue the effective level of involvement that the 
current program-level S&MA function (Level II Safety and Product Assurance (S&PA) 


B-5 



Division) provides in the current SSFP. S&PA holds membership, participates, and votes 
in all Space Station program software and Technical and Management Information 
System (TMIS) Control Boards. The Division participates in the development of 
program management and technical requirements for safety, reliability, maintainability 
and quality assurance (SRM&QA), and initiates/supports applicable change requests 
(CRs). S&PA reviews and recommends disposition for every CR evaluated by these 
Boards. S&PA has contributed to Level III, International Partner, and Level IV Design 
Reviews and the Man-Tended Capability (MTC) Phase Manager’s Technical Integration 
Group, the lead Level II Design Review team. S&PA’s expanded quality assurance 
integration efforts over the past year resulted in several program enhancements. S&PA 
also conducted audits and special topic studies. 

In addition to these overall program integration efforts, S&PA has been intimately 
involved in reviewing requirements, plans, and designs for software verification and 
validation, the C&W system, and normal and contingency operations planning. 

Findine #2 : The SSFP has established an Assured Crew Return Vehicle (ACRV) 

Project Office to develop requirements and manage the design of a "lifeboat" vehicle. 

The panel examined the developed ACRV requirements in detail as part of a special 
study (see Appendix D). The ACRV Project Office has established excellent functional 
requirements which, if followed, should greatly reduce the risks inherent in leaving a 
crew on the Space Station without an attached orbiter. 

Recommendation $2 : NASA should develop an ACRV as a lifeboat in accordance with 
the ACRV project system requirements and philosophy. 

NASA Response.: Concur. The Space Station program plans to continue development of 
the ACRV. NASA is examining the acceptability of existing spacecraft from other 
countries in order to minimize cost and to assure that the ACRV will be available for 
use on Space Station Freedom in a timely manner. Provisions for the ACRV have been 
included in the NASA 5-year budget for the redesigned Space Station. 

Findine US : To allow robotic replacement of Orbital Replaceable Units (ORUs), the 
ORU designs must be robot-compatible. While progress is being made, the optimum 
level of robot compatibility has not yet been achieved. 

Recommendation $3 : NASA should set a goal of maximizing the number of robot- 
compatible ORUs. 

NASA Response: We concur that robotic compatibility is important to the design and 
operation of the Space Station. The SSFP established a Robotics Working Group which 
conducted an analysis to optimize the number of robot-compatible ORUs consistent with 
practical application and need. The Robotics Working Group is an active organization 
in which all work packages, operations, projects, international partners, and the Level II 
program participate. It has developed two robotics standards: (1) SSP 30550, Volume 


B-6 


I, Space Station Robotics Systems Integration Standards: Robotic Accommodations 
Requirements"; and (2) SSP 30550, Volume II, "Space Station Robotics Systems 
Integration Standards: Robotics Interface Standards." The latter volume standardized 
hardware and equipment for the accommodation of robotics systems. The Robotics 
Working Group continues to work the addition of ORUs to the list of equipment 
designated to be robotic-compatible in SSP 30000, Section 3, "Space Station System 
Requirements," Table 3-55. 


Only external, serviced ORUs are designated robot-compatible, because no internal 
robots are planned. ORU parameters influencing the specific design requirements 
include the physical geometiy, mass properties, Mean Time Between Repairs, and Mean 
Time To Repair. ORU numbers, implementation costs, and unit interface and 
workstation environmental conditions are also considered in the design. 

Ending, #4 : Considerable progress has been made in automation capabilities for Space 
Station Freedom. However, the inclusion of the C&W system operation within the 

?\f£\\i nte8rated Station Executive (ISE) software is not scheduled until Mission Build 
(MB) 17, and there are hints that this plan might be subject to future software reductions 
and prioritization. 

Recommendation #4 : Because of the important safety role of the C&W system, NASA 
should provide for its operation under the ISE software as early as possible. 

j yASA Response: The basic C&W is part of the Data Management System (DMS), not 
the ISE. C&W capabilities will be present in the DMS starting at MB 2 in the form of 
basic limit checking, and will be augmented by the ISE during subsequent assembly 
stages. DMS requirements in Section 3 of the Program Definition Requirements 
Document, Revision L, paragraph 3.2.5.1.1.25, specify that the DMS shall support a 
C&W system that continually monitors the safety conditions and critical functions and 
provides information to the flight and ground crews. ISE requirements in the paragraph 
3.2.13.1.7 specify that the ISE shall augment the C&W capability accomplished by the 
systems, elements, and payloads via the DMS by providing C&W synthesis These 
additional capabilities are stipulated in NASA-STD-3000, Volume IV, "Space Station 
Freedom Man-Systems Integration Standards." The additional capabilities include 
suppression of repetitive messages, annunciation of flood pattern recognition, and 
initiation of synthesized annunciation of conditions not recognizable by an individual 
system, element, or payload. 

F inding §5 : The central development facilities for the DMS may not be adequate to 
support all of the software development and testing that will be required. Also, there is 
concern over the adequacy of the access of payload developers to the software 
development facilities. 

Recommendation #5 : NASA should review the capacity of its planned central 
development facilities for the DMS software to assure that adequate facilities are 


B-7 



available to handle the load expected for SSF software development. NASA should also 
provide the payload community access to the DMS as quickly as possible and assure that 
payload developers have the facilities and information they need to complete their work 

safely and effectively. 


NASA Response: NASA has reviewed the capacity of the central facilities in order to 
verify their adequacy to support all required software development and testing. A recent 
loading analysis update was presented at the Central Facilities Delta Preliminary Design 
Review on April 26, 1993. The analysis shows a short penod of need that exceeds 
availability for a two-shift, 5-day week. This will be accommodated by scheduling an 
additional shift work, as required. The Space Station program is continuing to study 
ways that could enhance the productivity and availability including more verification 

credit at the work packages. 


The program intends to simplify payload interfaces with the core station such that 
payloads will not require the use of the central facility. However, those ‘ P^y oads with 
complex interfaces will have access. Change Request BB003472, Add CSF/CAF 
Requirements to SSP 30000," approved April 7, 1993, ensures that payload software 
interfacing with core systems and software is accommodated. The DMS hardware and 
software and support equipment are in the central facilities to support payload interface 
verification; however, many potential payloads projects have emphasized that they 
require flexibility in selecting specific verification facility support. 


Finding #6 : Neither the Timeliner tool being developed for scheduling Space Station 
activities nor the scripts that will be developed using it appear to be receiving the same 
level of verification and validation as other DMS software. 


R eammeniMon 86 : The Timeliner software and the scripts created using it should be 
subjected to design verification and validation consistent with other mission-critical 

software. 


NASA Response.: Timeliner is being procured through IBM and will receive the same 
level of validation and verification testing as other flight software. It has always been the 
intent for Timeliner to be subject to the same level of testing as any other flight software 
in accordance with SSP 30000, Section 12, "Space Station Program Master Verification 
Requirements," paragraphs 4.1.15 through 4.1.18. These paragraphs require verification 
of all flight software including in-line commercial-off-the-shelf (COTS) software. 

Finding #7: The Software Support Environment (SSE) is of critical importance to the 
SSFP. Indeed, it is unlikely that the Space Station software can be successfully 
completed without the tools the SSE offers. 

RgSommgMa ^QR ttZ -' NASA should continue strong support of the development and use 
of the SSE. 


B-8 



NASA Response.: Concur with the recommendation. The program will continue to 
support and monitor the SSE development and utilization. 

Findine #8 : The SSFP has begun the planning and development of an Integrated 
Logistics System (ILS), which coordinates the work packages and the Kennedy Space 
Center (KSC). 

Recommendation #8 : Continue working on the plan for the ILS. 

NASA Response : Concur. The Space Station program is continuing development of the 
ILS at KSC. The program considers the ILS essential to the efficient and effective 
management of operations and maintenance, spares, repairs, consumable requirements, 
and resource allocations. It is also necessary for the planning and implementation of on- 
orbit quality assurance planning currently in work. 


B-9 



B. SPACE SHUTTLE PROGRAM 


Findine 09 : The Space Shuttle Automatic Landing (Autoland) System needs only 
minimal additional analysis and a few system design changes to extend its performance 
limits and to support a complete definition of flight rules for its use. Cancellation of the 
Development Test Objective (DTO) for an automatic landing on the flight of STS-53 has 
further delayed the specification of these capabilities and the appropriate operational 
role of the Autoland System. 

Recommendation #9 : Define the requirements and demonstrate the capability for an 
Autoland System as soon as possible. 

NASA Response: The orbiter currently has a capability for automatic landings, to be 
used as a contingency when the commander and the pilot are incapacitated or incapable 
of landing the orbiter using nominal Control Stick Steering (CSS). Certification of 
contingency Autoland has involved partial flight demonstration; on STS-2, -3, and -4 
Autoland (automatic landing) was engaged from 10,000 ft. to as low as 125 ft. Further 
certification testing of contingency Autoland has not been identified as a requirement. 
Postflight data from each mission have been reviewed and indicate no instances of 
unexpected divergence by the nonactive contingency Autoland from the reference 
trajectory. 

The requirements for demonstrating an automatic landing on the Shuttle have been 
developed as part of a DTO. However, this DTO is not currently scheduled. 

Reasonable mission rules, placards, microwave landing system calibration, and crew 
training requirements have been identified. Software changes desirable to enhance 
redundancy management of navigation sensors have been developed, though not yet 
implemented. Options for automation of landing gear deployment, air data probe 
deployment, braking, and nosewheel switching have been developed for incorporation in 
a long-duration orbiter program. 

We currently have no plan to demonstrate the Autoland System. This policy is the same 
as not demonstrating a Return to Launch Site or Transatlantic Abort (RTLS or TAL). 
The policy is not to take any additional risk for demonstration purposes without a firm 
requirement. 

As you know, the Office of Space Flight (OSF) is reviewing a crew exchange to preclude 
pilots from landing on long-duration flights to Space Station which extend beyond the 
crew’s certified capability to land. Additionally, the OSF has developed an on-orbit 
simulator for practicing landings prior to entry. This will enhance crew performance 
during landing. 


B-10 


In summary the program is reviewing the operational flight rules pertaining to Autoland 
we have budgeted upgrades in software and hardware to improve the Autoland 
functionality, the life sciences organization is collecting physiological data and developing 
countermeasures to ensure adequate crew performance as the mission duration increases. 
We are confident with using Autoland in a contingency mode, but do not plan to 
demonstrate Autoland until a firm requirement mandates a demonstration. 

Bo ding, m : NASA has funded the development and installation of a Multifunction 
Electronic Display System (MEDS) for retrofit into the orbiter. This system will replace 
the conventional electro-mechanical instruments with flat panel displays. Commercial 
transports and military aircraft have been flying with MEDS-equivalent "Glass Cockpit" 
systems for some years, some converted from older, conventional cockpit displays. 

R££mmendatl!m #1Q : The inherent operational and potential safety benefits of MEDS 
warrant its installation in the Space Shuttle as soon as possible. 

MASA Response: The magnitude of the modifications to the orbiter vehicles to 
l " C ®l p ® r ^ te the M EDS is quite large. This is known to involve removal and installation 
ot flight deck panels, installation of avionic Line Replaceable Unit (LRU) cooling ducts 
and installation of new LRU wiring and the LRUs themselves. The nature of these 
modifications coupled with the subsystem development schedule, testing schedule, and 
delivery dates of MEDS hardware, warrant installation of the MEDS during orbiter 

maintenance/interval inspection down periods. First flight is scheduled in the fourth 
quarter of FY 1996. 


Ending, fill: The inventory of Auxiliary Power Units (APUs) is currently being 
upgraded to an Improved Auxiliary Power Unit (IAPUs) configuration to improve 
re lability and service life. The upgrade program, however, projects a condition of zero 
spares in the future due to time limits on some parts. 


Recmmendatjon til: NASA should take the 
zero IAPU spares. 


steps necessary to preclude a situation of 


NASA Response: The entire orbiter fleet will be upgraded to fly only IAPUs with the 
completion of the OV-104 Orbiter Maintenance Down Period (OMDP) 1. The spares 
posture is improving, but cannibalization will continue to be a possibility until all older 
APUs are upgraded to IAPUs and are available for installation in the field. 

E nding 811 : The IAPU represents a major improvement in durability and safety 
However, the Gas Generator Valve Module (GGVM or "Bang-Bang" Valve) continues 
to require frequent replacement because of the high-stress manner in which the valve 

fimction 71161-6 ^ altCrnative valve designs that can be adapted to perform the same 


R ecommendation #12 : NASA should continue to explore improved GGVM designs with 
the goal of providing a replacement for the current configuration as soon as practicable. 


B-ll 



it,™**- Development of an alternative GGVM design and vendor to provide a 
repfacenrent ^fcn the current design has been implemented. Firs, flight ,s scheduled for 
the fourth quarter of FY 1996. 

Findine if 13' The results of flight tests on the orbiter Columbia (OV-1G2) using pressure 
SSSfaJw measurements* on the wing showed that the calculated ascent loads on 
the wing are conservative. Additional flight tests to be conducted the 

nressure distribution and strains on the wing and tail of OV-102. These data are 
required to substantiate that the predicted applied and internal loads on the wing an 

tail are conservative. 

ill : Conduct the planned tests as expeditiously as possible. Particular 

emphasis should be placed on the loads on the tail. 

NASA Remme: The Space Shuttle program has conducted a se. 
flights to collect the pressure and strain gage data on wing loads. Additional 
planned for STS-55 and STS-58. The collected flight data will be used to verify the 
orbiter aerodynamic data base which has been used in loads analyses. Vehicle loa s 
analyses are expected to be completed by October 1994. 

SPACE SHUTTLE MAIN ENGINES (SSME) 

Findine #14: The SSME program is doing well and has sufficient spares. However, the 
engines still require meticulous attention to detail in inspections and tests. 

Re cmmsnMQlL m Continue the vigilant implementation of the inspection and test 
procedures while design solutions for known weaknesses are being addresse . 

NAHA Renonse: The SSME program will continue vigilant implementation of improved 
^pectfon S iques and acceptance test procedures. Design solutions, recurrence 
controls, limitations, and product improvements are addressed routine y to assure a 
increase operating margins and safety margins. 

Findine #15: The individual major component improvement programs are making 
SSSflLever, a total engine upgrade is being delayed 

Fuel Turbopump (HPFTP) part of the Alternate Turbopump program ' 

The highly effective Large Throat Main Combustion Chamber ( ) y 

been made a formal part of the SSME program by NASA but has been denied 
appropriations by Congress. Schedule disparities among the various component 
improvements lead to interim certifications of components in engine configurations that 
will never fly and to unnecessary duplication of certification tests. 

tnMwn m The identified SSME design improvements are vital to the 

reduction of Space Shuttle operational risk. Therefore, NASA ^°““ and 

HPFTP development as well as continue to press for approval of the LTMCC, and 


B-12 



examine carefully the benefits of integrating all the individual modifications into a block 
change program. 

NASA Response: NASA fully agrees with the reduction of the operational risk by 
introducing the ATP pumps and the LTMCC into the SSME, and the Agency will 
continue to press for the go-ahead approval of the LTMCC and the ATP HPFTP. 

Development and certification of two block changes will incorporate the safety features 
quickly and efficiently. Block I will include the ATP high pressure oxygen turbopump, 
the Phase 11+ two-duct powerhead, and the single-coil heat exchanger. Block II will 
include the ATP HPFTP and the LTMCC. Funding for the ATP HPFTP and the 
LTMCC have been submitted in the President’s FY 1994 budget. Following budget 
approval by Congress, these safety improvements will be aggressively pursued to 
accelerate implementation of the Block II changes. 

SOUDMOOCEfT MOTORS 

Finding. &16 : Three Flight Support Motors (FSMs) have been used to date to verify 
quality and qualify design improvements, reproducibility, and replacement materials for 
the Redesigned Solid Rocket Motor (RSRM). In the near future, new materials will be 
needed in the RSRM to replace those eliminated for environmental or safety concerns. 

It will also be necessary to qualify new vendors to replace those who have left the 
industry or are no longer willing to supply components for the RSRM. 

Recommendation $16 : To maintain safety and performance, NASA should continue the 
use of FSMs for quality control, validation of design improvements, and qualification and 
verification of new materials, processes, facilities, and equipment. 

NASA Response: It is NASA’s intention to continue to qualify new materials or process 
changes incorporated into the RSRM via the FSM program. The next FSM is FSM-4, 
scheduled for November 1993. The timing of these changes and the subsequent 
qualification efforts are subject to budgetary constraints. 

Finding £17 : Soot has been found on the O-rings serving the RSRM nozzle internal 
joint number two significantly more frequently than on the similar O-rings for the other 
four joints combined. A new assembly sequence with Room Temperature Vulcanizer 
(RTV) backfill is being used to counter this problem. 

RecmmendajiQn #17 : The possibility of heat effect or blowby at the primary seal of 
nozzle joint number two is sufficiently high to suggest the need for a redesign of this 
joint to eliminate the present procedurally based solution. 

NASA Response: The action which the Shuttle program is implementing to correct the 
deficiency of joint number two involves changing the assembly process. We believe, and 
the OSMA concurs, that the corrective action being taken is proper, recognizing the 
relatively minor consequences of the deficiency and the high cost and development risk 


B-13 



which a redesign in this area might entail. Inspection of the first flight motor with the 
new process look favorable with blowhole occurrence reduced. We will continue to 
review this improvement. 

During the redesign program following the Challenger accident, this joint was 
redesigned. The primary O-ring was added to make the seal redundant and also allow a 
leak check to be performed during nozzle assembly. There is a RTV sealant applied 
between the nose cap and cowl which is to prevent circulation of hot gas combustion 
gases in the joint. The joint is deficient because blow paths often occur in the RTV, 
allowing hot-gas penetration to the primary O-ring seal, the cowl-to-cowl housing bond, 
and to the joint metal parts. The sealing integrity of the primary O-ring has never been 
a concern to the Shuttle program, even with the many occurrences of gas paths to the 
seal, because the O-ring is a face seal fully enclosed within the O-ring groove and 
covered by the flex bearing flange, and because the joint is static and does not open with 
motor pressurization. There has never been erosion or heat effects observed on the O- 
ring or its sealing surfaces. 

The finding of blow paths in the cowl-to-cowl housing bondline on STS-37 did, however, 
raise a concern for potential failure of that bond. The resulting analysis concluded that 
in the event of a failure of this bond, the leak path would be into the flex bearing/flex 
boot cavity which is not catastrophic. There is also a redundant mechanical attachment 
of the cowl to the cowl housing (36 steel shear pins) which would retain the cowl in the 
event of complete bond failure. This has been the basis for the flight rationale since 
STS-37. 


In the current assembly procedure, an epoxy adhesive is applied to the cowl housing and 
RTV is applied to the nose cap at the same time. There is some mixing of the adhesives 
which prevents uniform curing, and air is sometimes trapped within the bondlines, 
leading to the formation of blow paths. The corrective action changes this procedure to 
separately bonding the cowl and cowl housing, installing the joint bolts, and then 
backfilling the RTV into the cowl/nose cap gap. This change is a low-risk improvement 
which has been thoroughly tested and is expected to significantly reduce the occurrence 
of hot-gas intrusion into the joint. The first flight of this change will be STS-57. 

Finding. #18: The projected factor of safety of the aft skirt when used on the Advanced 
Solid Rocket Motor (ASRM) is less than specified. Installation of an external bracket 
has been proposed as a means of returning the factor of safety to the level in the design 
requirements. A segment of an aft skirt is to be used to test the effectiveness of the 
external bracket modification. The test of this 1 1-inch-wide specimen may not duplicate 
the actual strains and boundary conditions that would be experienced by a complete aft 
skirt and, therefore, may yield unreliable results. 

Recommendation HI 8: The effects of the external bracket modification would be better 
evaluated if a full-scale skirt were tested in the facility that was previously used for the 
influence testing of a complete aft skirt. 


B-14 



MSA Response Several testing options were evaluated for the external bracket concept. 
Die first option was an influence test in which an aft skirt is loaded without and with the 
external bracket. This test would not destroy an aft skirt. The influence test option was 
e imitated because of the nonlinear behavior exhibited in weld region (the skirt will have 
to be loaded to high levels to obtain useful information). The next option considered 

Was U ul' SCa e aft skirt failure test - This type of test is limited in several ways. Only 
one holddown post can be taken to failure and provide useful test information. The 
magmtude of the test would result in a significant schedule impact. The complexity of 
an elaborate test setup would require a large engineering effort. The cost would 
approach that of a full Structural Test Article (STA) test. 


TTie component test method was proposed to avoid the problems of the full-scale aft 
start test. The component concept allows the testing of up to four test articles to failure 
Direct comparison between the external bracket concept and the baseline configuration 
under identical test conditions can be made. The component test concept requires a 
smaller and less complex test fixture than for a full-skirt test. The cost and schedule 
impact are much less than for a full-skirt test 


TTie validity of the component test concept depends on the ability to develop a load set 
that provides a proper state of stress in the area of the external bracket (critical weld 
region). Finite element analysis has determined that the external bracket does not effect 
the overall stiffness of the aft skirt. The regions affected by the bracket are included in 
the test article Detailed finite element models were used to develop a set of test loads 
w ich will produce the STA-3 state of stress in and around the critical weld region. 
Furthermore, the STA-3 distribution has shown agreement with strain data from flight 
vehicles The component test method is the preferred method of testing both from a 
technical and an economic point of view. 


F inding^ #19 : Potential stress-corrosion cracking of case welds on the ASRM is an 
acknowledged problem. The residual stress is not uniform over the entire weld 
Residual stress peaks can occur at the start and stop of the welding process. 

Recommendation #19 : The ASRM program should assess the adequacy of its stress- 
corrosion cracking test plan to assure that sufficient pass/fail criteria tests are included. 

N ASA Response: ASRM takes issue with this finding/recommendation. The project has 
conducted an extensive test program utilizing resources at Babcock and Wilcox the 
University of Missouri, and the Marshall Space Flight Center (MSFC) Materials and 
Processes^ Laboratory with the goal of quantifying residual stresses as well as evaluating 
susceptibility to stress-corrosion cracking. This program is virtually complete and the 
Aerospace Safety Advisory Panel (ASAP) concerns are being shown to be nonproblems. 

B oding. #20 : The top-level requirements document for the ASRM manufacturing 
software is not scheduled to be available until July 1993. Also, systems integration and 
systems-level testing plans for the ASRM manufacturing facility are not yet ready. 


B-15 



ifornmmpnA/itinn #20: The overall ASRM manufacturing system software requirements 
do^rnTma^dsysterns integration and test plans are important parts of the system 
development. They should include a comprehensive test plan and an evaluat 
mechanism capable of tracking the system operation through its lifetime. 

NASA Eemmse.: ASRM currently has activities underway which address each of the 
ASAP concerns in these areas. 

Overall ASRM manufacturing systems and integration requirements are being detailed in 
the; 6 Automated Manufacturing Systems (AMS) specification document which is currently 
uiul w development and will be completed in July 1993. This document will define the 
total manufacturing computer system hardware and software requirements for 

An integrated test plan for the AMS software is also being developed and will be 
completed in the same timeframe. A manufacturing test bed is being built which wiU be 
utilized to verify AMS software requirements in accordance with the integrated test pla . 

IJiJQNCnaAND LANDING 

Finding #21: The KSC has begun a pilot Structured Surveillance program with the ^ 
objective* of increasing the efficiency of the quality control function in order to enha 
launch turnaround processing. This program appears to have great po en la . 

Re commendatjort i 21 : Before Structured Surveillance can be fully implemented it must 
be carefully evaluated to assure that it is fully supportive of safe flig t opera ion . 

NASA Resnonse: The Structured Surveillance program is in the eariy stages of ^ 
development wkh emphasis on maintaining safe flight operations. Operations an 
Maintenance Requirements Specifications (OMRSs) derived from Critical Items Lists 
✓Cits') or Hazard Report acceptance rationale will continue to have the previous level of 
‘ulm aLwancc inspections. Acceptance and installation of Criticality hardware = wjU 
also continue to have both contractor and NASA inspections. Evaluation of the results 
of the pilot program indicates increased efficiency of the processing effort and continued 
effectiveness of the quality assurance activities. We are moving slowly into t is program 
with close management attention to assure safe flight operations. 

Fhulin g #22 : The use of task teams at KSC has expanded with apparently successful 
results. 

RecmnmendgtiQR #22 ; Continue to develop and use the task team concept. If structured 
surveillance proves successful, consideration should be given to integrating it with 
task teams. 

NASA Resoonse • The task teams will continue to be developed and used because of the 
posfhvtf res uUs^ fro m this concept. He S.ntctured Surveillance program ts m the early 


B-16 



stages of development and as it matures, consideration will be give to integrating it with 
the task teams. 

Ending. #22.: A new high bay Orbiter Processing Facility (OPF-3) has been opened at 
the KSC. In addition to advanced support equipment, OPF-3 has vastly improved 
lighting, which should decrease accident risk and increase productivity. 

Recommendation #23: NASA should upgrade the lighting in the other orbiter processing 
facilities as soon as possible to avoid differences across the high bays and maximize 
safety and productivity. 

NASA Response : KSC acknowledges the findings and agrees with the recommendation. 
Actions are in process to improve the lighting disparities. Because the most significant 
differences are in platform configurations and light-reflective surfaces, all surfaces that 
can reflect light on High Bay 1 and 2 platforms are being painted white. The floors in 
High Bay 1 are also being painted white and those in High Bay 2 are scheduled to be 
painted white in August 1993. 

LOGISTICS AND SUPPORT 

Ending S2d’ The NASA Shuttle Logistics Depot (NSLD) has great potential for 
improving repair turnaround times and enhancing the logistics program. At present, 
however, repair turnaround times are still significantly longer than desired due largely to 
protracted failure analysis times. 

Recommendation if 24: The Space Shuttle program needs to establish a more effective 
method of moving units through the repair cycle in order to achieve the full potential of 
the NSLD. 

NASA Response: The protracted failure analysis times, especially those involving original 
equipment manufacturers (OEMs), are the most prominent contributors to the long 
repair turnaround times. Such turnaround times involving OEMs have averaged about 
four times those at the NSLD. The failure analysis capability at the NSLD has been 
enhanced during the past year. Initiatives are also underway with the Johnson Space 
Center (JSC) Orbiter and GFE project to improve the overall failure analysis process 
relative to identification of requirements as well as location where the analysis is 
performed. The increasing utilization of the KSC NSLD capability for both failure 
analysis and repair will significantly improve the average repair turnaround time and the 
overall logistics program in general. 

Ending if 25: Performance of the Space Shuttle logistics system is excellent and 
difficulties such as loss of suppliers are being diligently addressed and corrected. 

Recommendation #25: Continue placing the strongest possible emphasis upon controlling 
the growth in the number of below-minimum or zero-stock levels. Where possible, 
alternative sources should be qualified or manufacturing and repair capabilities should 


B-17 



be transferred to NASA facilities such as the NSLD to compensate for the loss of 
suppliers. 

NASA Response: Emphasis has been placed on initiating additional transition of repairs 
to the NSLD and other Government facilities (i.e., White Sands) to compensate for 
supplier loss, high costs, and instability. A total of 19 certifications are planned this year 
and 20 vendors are being reviewed for future transition. Particular issues such as zero or 
below minimum stock levels are emphasized at the project level and reviewed routinely 
by the program for adverse trends. 


B-18 


C. AERONAUTICS 


Finding §26: A NASA Headquarters Aircraft Management Office (AMO) has been 
established. The office is headed by a senior manager reporting directly to an Associate 
Administrator. In addition, a new, comprehensive NASA Aviation Safety Officers 
Reference Guide has been promulgated. 

R esQmmendatiQn #26 : NASA should continue to support a strong Aircraft Management 
Office and manage the NASA Aviation Safety program in accordance with the NASA 
Aviation Safety Officers Reference Guide. The longstanding and dedicated Intercenter 
Aircraft Operations Panel (IAOP) should be maintained as an independent entity. 
Together, the AMO and IAOP, guided by this reference guide, should be highly effective 
in maintaining the safety of NASA’s aviation activities. 

NASA Response : NASA agrees that a strong AMO and an independent IAOP will 
contribute to the safe and efficient operation of NASA aircraft and that the Aviation 
Safety program should be managed in accordance with the NASA Aviation Safety Officers 
Reference Guide. The guide was developed by the Headquarters OSMA to improve the 
NASA Aviation Safety program which is conducted according to the provisions of NASA 
Management Instruction (NMI) 7900.2A, "NASA Aircraft Operations Management"; 

NHB 7900.3 (VI), "Aircraft Operations Management Manual"; Chapter 7 of NHB 
1700.1(V1-B), "NASA Safety Policy and Requirements Document (formerly the Basic 
Safety Manual)"; and other applicable NASA directives. 

Finding. #27 : NASA maintains a fleet of aircraft for management and administrative 
purposes. Many of these aircraft are old, and some have even exceeded their originally 
specified service lives. Although excellent maintenance is currently coping with problems 
such as stress corrosion due to age, safety can be compromised if the level of 
maintenance decreases. 

Recomniendation #27 : NASA should conduct a review of its aging aircraft and establish 
a coordinated program of upgrades, replacements, and appropriate additional safety 
inspections. 

NASA Response : Concur, the AMO is leading an Agencywide, multifaceted effort 
examining aging aircraft. The AMO is aggressively pursuing opportunities for obtaining 
newer, more efficient aircraft that become available as a result of the military drawdown. 
The AMO, in conjunction with the IAOP is developing a rigorous enhanced Gulfstream I 
Structural Corrosion Control Inspection to validate the integrity of these 30-year-old 
aircraft. This inspection program will be adapted to other older aircraft in the NASA 
fleet. NASA will continue to maintain all its aircraft to the highest standards to ensure 
safe, efficient, productive mission accomplishment. 


B-19 



Finding #28: Flight Research at the Dryden Flight Research Facility (DFRF) includes a 
number oftest programs with aircraft, such as the F- 15 and SR-71 that are potenUaUy 
hazardous and therefore require a continuous and detailed safety effort. ,^ ^ de 
safety procedures and activities continue to control the risks associated with these flight 

tests. 

WvmmnLPndaiion #28: DFRF should maintain emphasis on the practice of periodic 
renews of sXty procedures to ensure that all reasonable risk reduction measures are 

being taken. 

NASA Response: DFRF procedures for flight program development flight readiness 
reviews, and flight test operations have been long established and well proven Safet y 
assurance and risk management reviews are, and will continue to be conducted 
periodically by DFRF, Ames Research Center, the IAOP, and NASA Headquarters. 


B-20 



D. OTHER 


F inding #29 : At the request of the NASA Administrator, the panel examined the 
organizational structure of the Office of Safety and Mission Quality and the counterpart 
organizations at NASA Centers. The study concluded that the current organizational 
arrangement provides an appropriate and effective relationship between NASA 
Headquarters and the Centers. 

Recommendation #29 : Maintain the current organizational structure, but clarify the 
functions and duties of the Headquarters Office of Safety and Mission Quality and those 
of Center Directors and, if necessary, issue revised NMIs. 

NASA Response: The role and responsibilities of the Headquarters Office of Safety and 
Mission Quality (Code Q) have been realigned as the result of the recent internal NASA 
Headquarters red team/blue team reviews. Based on the teams’ findings, the name of 
Code Q has been changed to the "Office of Safety and Mission Assurance" to more 
accurately reflect its function. Other changes have been instituted to streamline the 
overall activity and realign resources to better support the evolving needs of NASA 
programs and missions. A NMI incorporating these changes was signed on April 9, 1993. 

Although the mandate of the OSMA will continue to emphasize its role as the Agency’s 
safety conscience," the changes ensure an appropriate and harmonious balance between 
Code Q’s independent program oversight and support functions. The Office will provide 
an upfront contribution to programs (prevent problems by building in safety, reliability, 
and quality assurance at the earliest possible stage), focus efforts to manage the quality 
process for NASA payloads, and increase system engineering/concurrent engineering 
capabilities, while expanding risk-management capabilities to support program managers 
in meeting schedule and budget constraints during critical decisionmaking processes. 

The strategic thrust of the Office over the next 2 years will be to: (1) Integrate 
SRM&QA requirements at the appropriate stage of a program; (2) Advocate SRM&QA 
oversight and assessment functions across the Agency; (3) Develop and promote NASA- 
wide risk-management practices; (4) Maintain a strong contributing SRM&QA presence 
in NASA programs and operations; and (5) Develop and advance engineering standards 
and practices. 

Finding, $30 : NASA has begun development of a Simplified Aid for Extravehicular 
Activity (EVA) Rescue (SAFER). SAFER is a small maneuvering unit intended to fit at 
the bottom of the Portable Life Support System (PLSS) of an EVA astronaut. Its main 
purpose would be to permit the safe recovery of an astronaut who becomes untethered 
from the Space Station or an orbiter that was operating in a mode which prevented it 
from moving quickly for a recovery. SAFER would also provide significant 
maneuverability for EVA astronauts, without the need to carry and deploy the larger and 
more complex Manned Maneuvering Unit (MMU). The SAFER concept has merit for 


B-21 



enhancing safety and improving operational efficiency. The development program 
appears to have proceeded satisfactorily. 

Recommend^km KM ' Because the requirement for a SAFER as a rescue unit appears 
to be well founded, and it has additional mission benefits, its full-scale development is 
recommended as soon as possible. 

NASA Remase: SAFER design, study, and pre-production activity i^ontinuing. 

A Project Management Plan for Phase I of the Flight Test project (FIT) has been 
written. Requirements validation for the SAFER has been established, and development 
testing of a prototype SAFER unit has been successfully conducted. A Flight lest 
Article (FTA) is being built at this time. Once built, the FTA will be flown on a Shutt e 
mission. This flight will be used to validate SAFER operating characteristics and ensure 
adequate engineering performance in a space environment. This type of activity is 
essential in confirming the accuracy of ground-based simulations. Results of this 
will be used to refine the SAFER design prior to production. Manifest options tor the 
FTA are currently being considered in the 1994 timeframe. Phase II of the projec , e 
SAFER flight production project, will be initiated after completion of this activity. 

Finding #31: The Intelsat repair mission highlighted the need for additional types of 
crew training aids that can augment existing computerized and underwater simulators to 
provide better representation of the dynamics involved in EVA work efforts. The virtual 
reality systems being developed by NASA and others appear to offer significant promise 
for providing some of the additional training needs. 

Re jgntnmdstkm £1 ? NASA should be & in a P r °g ram to the benefits of usin § 
virtual reality systems in more aspects of astronaut training. 

NASA Response: Virtual reality technology is currently being investigated for 
applicability to training by several Centers: JSC is developing a virtual reality training 
simulator to help prepare astronauts for Hubble-related maintenance; Ames Research 
Center is working with dynamic response of virtual environment spatial sensors, 3-D 
auditory displays for aeronautical applications, and extravehicular activity self rescue in 
virtual environments; Jet Propulsion Laboratory has developed interfaces with telerobo ic 
control using virtual reality environments; MSFC is studying virtual reality applications to 
microgravity mobility and ergonomics; and Goddard Space Flight Center is investigating 
the use of virtual reality technology for telerobotics. All of these activities apply to the 
simulation and training of astronauts for Shuttle EVA and Space Station maintenance 
activities A NASA technical report on virtual reality technology is expected to be 
published during the summer of 1993. This report will describe all Center research 
efforts and proposed applications of virtual environments. This report represents a 
major step toward the goal of providing a more realistic environment for astronaut 

training. 


B-22 



Finding. 831: In spite of some progress, the Space Shuttle and Space Station Freedom 
programs are still not sufficiently addressing human factors issues. For example, the 
absence of a definitive user console layout standard between NASA and the international 
partners for the Space Station could cause problems for training and on-orbit operations. 

R ecommendation §32 : NASA management should encourage the active consideration of 
human factors issues within the Space Shuttle and Space Station Freedom programs. 

This might be best accomplished by requiring the inclusion of someone with specific 
human factors training in decisionmaking at all levels. 

N ASA Response: The panel’s advocation of increased human factors involvement in 
NASA programs has not gone unheeded. NASA concurs that increased involvement of 
human factors professionals in the decisionmaking process is required. Human factors 
professionals from the crew systems organization at the JSC are deeply involved in the 
MEDS development project. Active involvement of human factors professionals in other 
recently initiated Space Shuttle improvement projects will also bear witness to our 
increased commitment to improved human factors. Additionally, the JSC Director 
recently highlighted the increased role that the Center needs to play in the area of 
human/machine interfaces on current and future NASA programs. 

While the Space Station program is not staffed with human factors engineers, the crew 
systems and life sciences personnel perform this function at Level II with institutional 
support from JSC. The Safety Office performs oversight of the function as a safety 
concern. 


Human factors requirements and their implementation are very high on the priority of 
the Space Station Freedom program. Human factors requirements are embedded in the 
SSP 30000, "Program Design Requirements Documents." Additionally, NASA Standard 
30000, Volume IV, "Space Station Freedom Man-Systems Integration Standards," 
published by the JSC Crew Systems Division, is an applicable requirements document. 
This document has recently been updated to add common EVA workstation interfaces. 
The international partners have either accepted these requirements, or submitted their 
own human factors requirements document(s) for meets-or-exceeds negotiation per 
Memorandum of Understanding. 

Implementation of these requirements is reviewed by several NASA groups, including 
the Extravehicular Activity System (EVAS) Working Group and Freedom Safety Review 
Panel. Mission Operations considers human factors when it reviews planned operations. 
The Milestone Design Reviews also address human factors. Priority for the 
implementation of commonality in design is based on the safety criticality of the 
function. In some cases, the program has determined that a commonality of a function is 
so critical that NASA makes its hardware available to the international partners. The 
Space Station will continue to emphasize human factors considerations in its design. 


B-23 



Finding #33 : Independent verification and validation (IV&V) of large software systems 
is considered critical to program success. There has been some confusion over the 
IV&V activity for SSFP and the role of various groups in accomplishing it. 


ffe/'nmmendation *33 : NASA should develop a clear definition of what is meant by 
IV&V. This definition should encompass both the activities to be performed as part 
verification and validation and the degree of independence required. 


of 


NASA Response: In NSTS 08271, "Flight Software Verification and Validation 
Requirements," NASA formally defined an embedded process and requirements for the 
Space Shuttle program. This process includes maintenance of many detailed test 
procedures, and the SR&QA organization audits this process. NASA began a study to 
evaluate this embedded process relative to the need for IV&V and coordinated this 
activity with the National Research Council. Study results should be available in late 

1993. 

NASA will establish an IV&V facility in Fairmont, WV, later this year. At this facility, 
NASA will develop an Agencywide IV&V capability and provide IV&V support to 
programs, including Space Station. Through this effort, NASA will develop an 
Agencywide IV&V policy, conduct IV&V research, demonstrate tool/technique 
applications, and develop training requirements. The IV&V policy will include a clear 
definition of IV&V, identify the essential IV&V activities, and state the relationship of 
IV&V to other program activities. 

SSP 30000, Section 12, paragraph 4.1.14, "Space Station Master Verification 
Requirements," requires IV&V of all flight software that supports Category 1, 1C, and 2S 
functions or is resident in Criticality 1 and 1R hardware. The program has been 
performing the IV&V functions; however, the process has not been formalized SSP has 
utilized the Engineering Integration Contractor (EIC) as the program-level IV&V agent. 
The EIC is totally independent of all software developers in the program and reports 
directly to the Level II Program Office. Tasking is currently in place with EIC to 
perform typical design Phase IV&V tasks. 

Tasks performed by EIC during the requirements phase of the program were specifically 
directed at requirement traceability analysis, review of requirements for consistency and 
completion, and independent assessments involving system performance projections and 
requirement correctness. The EIC has a track history of performing this IV&V function 
in every major software review and has provided numerous independent assessments to 
the Program Office. As the program enters the coding and test phases, new tasks will be 
issued to the EIC to conduct independent tests of each flight load for certification for 

flight readiness. 

SSP 30666, Volume 4, Part 2, "Master Independent Verification and Validation Plan, 
will formally document this program-level software IV&V process. It should also be 
noted that each work package prime contractor has a verification and validation 


B-24 


developmem organiza,ion 10 provide ,he IV&V 
^^^co^'nu^^denh^iifspa^a^aeronamics^Re&retmWy' som^ofthe^ 11 ' 1 ^ 

r“«es S Z S.^r y maimained ' a " d ,he deVe ' OPmem 0f new> State -° f - 

S fiSmmdeHm W NASA should develop an integrated long-range infrastructure 

comimie' f SUr “ tha maim « na nce of existing assets and develops new facilities to 
conttnue Amertcan leadershtp in space and aeronautics research and developmem. 

NASA Response * NASA has embarked on a comprehensive study to develop a 
coordinated national plan for world-class aeronautical and space facilitLs that meets the 

deve1opment P Md C fm gT ^ C °"” nercial and Government-sponsored research and 
the DenTrtmem r n ° 0ven ™ em s P ace operations. The plan will be coordinated with 

SeoaZeT^V enSe ' Deparlment of E^rgy, Department of Commerce, 
Department of Transportation, and the National Science Foundation Industry 

bee M C °" ,aCled '° f SUre ,ha ‘ P r ‘ vate -sector interests 

a " d r S °' idali0n and phaseout of exis,dl 8 facilities. The development of 
accomplished by three task groups: Aeronautics R&D Facilities 
Space R&D Facilities, and Space Operations Facilities; all three of which are of interest 
o constituencies in the private sector. The results of the study will be an essential 

inZZlrl ° Ur mternal t0 impr ° Ve and C ° minue t0 our Sty 

fMdMsS2S‘ The Tethered Satellite System deployment failed as a result of a field 
modification that was improperly controlled ancl teLd. The change “ nroceS 
employed did not uncover the flaw. S process 

R ecommendation #35 : NASA should increase its emphasis on complete system testing 
when feasible. In addition, care should be exercised to ensure tha/dianges to flight § 
sys ems between completion of the last total systems test and the flight of the equipment 
are properly analyzed, controlled, and executed. equipment 

&L 5A Response : NASA agrees. The OSMA is developing a NMI "Verification of 

StaK 6 ?' This NMI is applicable to NASA Headquarters and Field 
Installations, both to activities performed at NASA facilities and those performed at 

contractor sites in accordance with contract requirements. This NMI establishes policy 

and responsibilities for verifying that NASA Space Flight Systems meet performance 7nd 

? e n r n a ^" al requirements. It includes requirements for verification program definition 

snecrfi. P Hr entatl0n u[ 1Sk £ValUati0n ’ and ’'"indent assessment. The Nm 

stating tha Y t afltonfil^^ em h ^ thOSe encountered b Y the Tethered Satellite, by 
g guration changes made subsequent to qualification or acceptance 


B-25 



testing shall require a system engineering evaluation and requalification by the same 
process initially used. 

_ , u . NASA has embraced the concept of Total Quality Management (TQM). 

Finding Mo- INA^A nas emuiav NA qa rvntM* and contractors appears to vary 

to have more 

form than substance. 

_ - H NASA should review its internal TQM program to assure that it 

Resmnmdatkm sM- NAbA snouiu • , |ldes not only motivation, but also 

°" d h — empl — 

NASA Resoonsz: NASA’s Continual Improvement Office (Code T) is currently 
completing efforts to provide . planning industry experts 

Plan has been written. The plan 

s have 

m ^ A d:“pporh P and training that meets the 

strategic goals and directions of the Agency. 

* ntKn . *, 7 . The Aerospace Medicine Advisory Committee has produced a report 
2S6f^-S»£— for Support of Humans in Space and Moon/Mars 

duration space flight. 

Bemm enmrn m NASA should address the recommendations contained in the 
referenced report in a timely fashion. 

S 1 n~«d tho e re ommendations applicable to the life sciences, through 
thedefinition°of science priorities and their discipline plans, within the las, 2 years. 


B-26 



The report recommendations recognize that the space exploration program might be 
deferred to a future date. The timeline for incorporating space exploration 
recommendations will be modified to adapt to the goals of NASA. 


B-27 



APPENDIX C 

AEROSPACE SAFETY ADVISORY PANEL ACTIVITIES 
JANUARY 1993 - JANUARY 1994 


JANUARY 

15 

26 


Space Shuttle Main Engine Assessment, Marshall Space Flight 

^ured Shuttle MailaMity Program Discussion with General 
Umce, NASA Headquarters 


Center 

Accounting 


27 


Space Shuttle Main Engine Assessment Presentation 
Administrator, NASA Headquarters 


to NASA 


FEBRUARY 

11 STS-55 Flight Readiness Review, Kennedy Space Center 

22- 23 Aerospace Medicine Advisory Committee Meeting, NASA Headquarters 

23- 25 Integrated Logistics Panel Meeting, Marshall Space Flight Center 

MARCH 

17 Headquarters' ^ ^ RuSSi&n Pr0gram Briefings, NASA 

18 Aerospace Safety Advisory Panel Annual Meeting, NASA Headquarters 

APRIL 

21 Auxiliary Power Unit Briefing, Sundstrand 

22 Kennedy Space Center Operations Discussions, Kennedy Space Center 

23-24 STS-55 L-2 and L-l Day Review, Kennedy Space Center 


C-l 



3 

4-6 

11 

12 

17 

18 

25-26 

JUNE 

15-16 

22 

25 

28-29 

JULY 

13 

14 

15 

21 

22 


Space Station Redesign Presentation, Crystal City, VA 

Intercenter Aircraft Operations Panel Meeting, Tucson, AZ 

Review of Space Shuttle Main Engine Firing and External Tank activities, 
Stennis Space Center 

External Tank Briefing, Martin Marietta, Michoud Assembly Facility 

Pre-Congressional Testimony Briefing with Associate Administrator for 
Safety and Mission Assurance, NASA Headquarters 

Aerospace Safety Advisor, Panel Annnal Report Congressional Testimony, 
Washington, DC 

Rocketdyne Procedures and Processes Study, Marshall Space Flight Center 


Procedures and Processes Study, Rocketdyne 

F-15B Advanced Right Test Fixture Flight Readiness Review Aerodynamic 
Flight Test, Dryden Flight Research Facility 

National Research Council Committee Review of Space Shuttle Flight 
Software Process, Johnson Space Center 

Kennedy Space Center Operations Review 


Review of Flight Test Programs, Dryden Flight Research Facility 
Orbiter 104 Review, Rockwell Palmdale Facility 

Review of Orbiter Program Operations Safety Enhancements, Autoland, 
Rockwell Downey 

Aerospace Medicine Advisory Committee Meeting, NASA Headquarters 

X-31 Tactical Utility Testing Flight Readiness Review, Dryden Flight 
Research Facility 



AUGUST 


19 Discussions concerning Rocketdyne Procedures and Processes Study; ASAP 

Comments on General Accounting Office Space Shuttle Main Engine 
Report; and Kennedy Space Center Processing Procedures with 
Adminis trator, NASA Headquarters 

26 Software Discussion/Teleconference with the Office of Safety and Mission 

Assurance 


SEPTEMBER 


8-9 Structured Surveillance Discussion, Kennedy Space Center 

14-17 Integrated Logistics Panel Meeting, Kennedy Space Center 

20 Rocketdyne Procedures and Processes for Space Shuttle Main Engine 

Presentation to Senior Management, NASA Headquarters 

23-24 Structured Surveillance, Kennedy Space Center 

29-30 Space Shuttle Program, Russian Program, Hubble Program Reviews, 

Johnson Space Center 


OCTOBER 

5 Awards Ceremony, NASA Headquarters 

Software and Kennedy Space Center Processing Discussion with the 
Associate Administrator for Space Flight, NASA Headquarters 

19-21 Shuttle Processing Reviews, Kennedy Space Center 

Software Discussion with the Offices of Safety and Mission Assurance, and 
Space Flight, NASA Headquarters 


NOVEMBER 

2 Review of Space Shuttle Main Engine Program, Redesign Solid Rocket 

Motor Program, Lightweight External Tank Program and Space Station 
Alpha Program, Marshall Space Flight Center 

16 Aeronautics Discussion with Associate Administrator for Aeronautics, 

NASA Headquarters 


C-3 



16 


Flight Readiness Review on Use of Helmet Mounted Visual Audio 
Display, Dryden Flight Research Facility 


DECEMBER 

9 High Altitude Unmanned Vehicle Flight Readiness Review, Dryden Flight 

Research Facility 

Total Quality Management Discussions with Associate Administrator for 
Continual Improvement, NASA Headquarters 

16 Space Shuttle Discussion with General Accounting Office, NASA 

Headquarters 


C-4 





